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PROTECTING YOUR PERSONAL DATA: HOW 
LAW ENFORCEMENT WORKS WITH THE 
PRIVATE SECTOR TO PREVENT 
CYBERCRIME 


Wednesday, April 16, 2014 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Philadelphia, PA. 

The subcommittee met, pursuant to call, at 10:18 a.m., at the 
Paul Peck Alumni Center, Drexel University, 3142 Market Street, 
Philadelphia, PA, Hon. Patrick Meehan [Chairman of the sub- 
committee] presiding. 

Members present: Representatives Meehan, Fitzpatrick, and 
Clarke. 

Mr. Meehan. The Committee on Homeland Security, Sub- 
committee on Cybersecurity, Infrastructure Protection, and Secu- 
rity Technologies will come to order. We are waiting for a moment, 
although we will begin, because by the time I am concluded with 
our opening statements and other things — my partner, Ms. Clarke, 
the Ranking Member from New York, had a little bit of trouble 
with the trains this morning, but she is, I know, out of the train 
and on her way up, so I think we will try to get the hearing start- 
ed, and I will look forward to having her make her opening state- 
ment as soon as we begin. 

I am — want to first express my deep appreciation to Drexel Uni- 
versity for allowing us to use this beautiful venue for this hearing, 
and to also take a moment to plug the tremendous work that 
Drexel University is doing with the creation of their new cyber in- 
stitute, which is not only using research and development to work 
with — the educational sector to work with the private sector and 
the Government sector in identifying the newest and best ways to 
deal with the threat of cyber — with cybersecurity, and dealing with 
the threats to information, but they are also going to be training 
the next generation of participants in the process of helping us to 
create better protections. I think it is a remarkable new area, and 
we are very grateful to have that kind of a commitment here in 
this region. I know it is something shared with other universities 
as well, but particularly what Drexel is doing is noteworthy around 
the country. 

I also have to make note of this, guys, and it is not customary, 
because of the angles of the sun, it is generally law enforcement 
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that has people locked in rooms with lights shining in their faces. 
Then they, you know, then they ask the tough questions. So this 
is kind of turnabout. We will have to see how you enjoy that aspect 
of it. 

At this moment I am going to ask unanimous consent for Con- 
gressman Mike Fitzpatrick to participate in the hearing. Hearing 
no objection, so ordered. I want to express my deep appreciation to 
Congressman Fitzpatrick, not only for the work that he does in the 
broad spectrum of issues for our region, but because Congressman 
Fitzpatrick is growing in his importance on the Financial Services 
Committee. This is an area in which he has been spending time as 
well, and I am very grateful for his participation. When my col- 
league, Ms. Clarke, arrives, I will take a moment to comment on 
our relationship. But allow me to begin by doing an opening state- 
ment. 

I want to welcome all of the witnesses, and extend my thanks for 
participating in today’s hearing, and I appreciate the effort taken 
on behalf of all of those involved in this important field hearing. 
This is an official Congressional hearing, as opposed to a town hall 
meeting, or something else that we would traditionally do, so we 
have to abide by certain rules of the Committee on Homeland Secu- 
rity, and the House of Representatives. This is as if we are sitting 
in the House today, so photography, and cameras and other things 
are limited to accredited press, and we want to make sure that we 
respect the decorum and the rules of the committee. 

I am going to give my colleague a moment to collect herself as 
I do my opening statement, but I would also — I did want to take 
a moment while Congresswoman Clarke was here to share with 
you — we have had the great fortune to be working together for 
much of the last term on this important committee. While, cer- 
tainly, there are a few occasions where we have to zealously argue 
for our philosophical positions, the fact of the matter is it has been 
a remarkable working relationship. We have had the ability to col- 
lectively identify and work on a number of issues with respect to 
cybersecurity, including some very substantial legislation that has 
passed the committee unanimously, and in a bipartisan fashion, 
and has been a real joy to be able to work with Congresswoman 
Clarke in this capacity. I want to express my deep appreciation for 
you taking the time to come down from New York to join with us 
today at this field hearing. So I will recognize myself for an open- 
ing statement. 

Recent cyber breaches at retailers, including Target, Nieman 
Marcus, and Michael’s, have once again brought the public’s atten- 
tion to the threat of criminals accessing their personal information. 
Unfortunately, such data breaches are neither new nor rare. The 
Target attack alone comprised the information of approximately 
110 million consumers, and it could be months, or even years, be- 
fore we know how many of those customers will eventually be vic- 
tims of fraud. In 2012, an estimated 16.6 million Americans experi- 
enced identity theft, costing consumers nearly $25 billion, so this 
problem is not going away. Just last week many people learned 
about the so-called Heartbleed vulnerability that affects the 
encryption software used in many e-commerce sites. 
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While fraud is nothing new, the techniques and scope have risen 
to a new level. Our increasingly interconnected world, and the ad- 
vancement of on-line shopping and banking, has made our lives 
much more convenient, but it has also meant that a sophisticated 
criminal can steal your account information without ever being in 
the country. In fact, the biggest hotbed of hackers is in Eastern Eu- 
rope, where criminals can buy, sell, and trade various pieces of 
software used to attack systems and steal information. 

The question then becomes: What is being done about it? From 
the retailers responsible for protecting the information in their sys- 
tems, to the banks who are liable for fraudulent charges, to law en- 
forcement at every level, and that means local, State, and Federal, 
who are charged with going after the criminals, all of the stake- 
holders here play a role, and are working hard to counter cyber 
fraud and identity theft. I add that this is an issue that is well 
within the boundaries of our committee, and I am pleased to be 
able to work with Congresswoman Clarke as we engage in a series 
of hearings that will unfold in dealing with this important ques- 
tion. 

Consumers must also do their part to protect themselves. Simple 
steps to increase cyber hygiene including creating strong passwords 
and changing them regularly, using anti-virus software, and keep- 
ing it updated, and most importantly, keeping an eye out for sus- 
picious activity on your computer, and in bank accounts. So I am 
looking forward to hearing from all of our witnesses about the out- 
reach they do to inform consumers to better protect themselves. 

Our first panel of witnesses is directly responsible for inves- 
tigating cyber crimes at the Federal and local level. In addition to 
its role as the lead agency investigating the recent retail breaches, 
we will hear from the Secret Service about the tools at their dis- 
posal, including the National Cyber Forensics Institute, which 
trains local law enforcement officials to investigate and prosecute 
cyber crimes, the Cyber Intelligence Section that collects, analyzes, 
and disseminates data, and the Electronic Crimes Task Force, that 
brings together law enforcement, academia, and the private sector 
to combat computer-based threats to our financial systems and crit- 
ical infrastructure. 

Similarly, I am pleased to have the Federal Bureau of Investiga- 
tion, who will testify about their role in investigating cyber-related 
crimes, and about the National Cyber Investigative Joint Task 
Force, which was created in partnership with the Department of 
Defense and the intelligence community, also including law en- 
forcement and the private sector, to coordinate and share informa- 
tion. That is critical as we deal with real-time transactions. 

We are also going to hear from the local level, which is vitally 
important, and I am pleased that District Attorney Jack Whelan of 
Delaware County is able to be here, and he has a criminal inves- 
tigation division which leads local efforts to fight cyber crime. Dis- 
trict Attorney Whelan will share with us thoughts on how he uses 
his resources to deal with the investigations which have an effect 
on the community, and then, in addition, how we are doing at the 
Federal level in coordinating and helping to engage those resources 
at the local level. 
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Our second panel will discuss efforts in the private sector to pre- 
vent and respond to cyber attacks. They are the ones on the front 
lines, fighting the problem, and continue to suffer significant finan- 
cial losses. I know we will likely hear, 85 percent of the assets that 
are engaged in the world of cyber are in the hands of private enti- 
ties. This partnership is more critical than perhaps any other area. 
I am particularly interested in hearing from them about how they 
interact with law enforcement, and how we can help protect their 
customers. I look forward to hearing from all of our witnesses 
today, and want to thank everybody for their attendance. 

Let me just conclude by saying one last thing. There are so many 
different aspects of cyber. You know, we deal with the threat of ter- 
rorism on a regular basis. We have State-sponsored activities, 
which is quite sophisticated, and often deals with the question of 
cyber espionage, and other kinds of things. There is the reality that 
the cyber world is a new dimension for warfare. In fact, there is 
a great deal of activity that takes place with the Department of De- 
fense, the intelligence community, and others that operate in that 
domain. 

But today we are focused on, how does this question come back 
to the local level, to the local consumer, to the person out there, 
to the small businessman, to the community banker? Because in 
the aftermath of the major issues that we have recently seen, such 
as Target, we realize that real lives are affected, and so our pur- 
pose today is to focus in that unique area, and I am grateful for 
the tremendous witnesses we have. 

So I now recognize the Ranking Minority Member of the sub- 
committee, the gentlelady from New York, Ms. Clarke, for any 
statement she may have. 

Ms. Clarke. I want to thank you, Mr. Chairman, for holding this 
field hearing in Philadelphia today, a place I know that is close to 
your heart, and I might say the City of Brotherly, and I might add 
“Sisterly”, Love, here on the campus of Drexel University. It is cer- 
tainly my honor and privilege to come, and to hear from the wit- 
nesses today, and to thank you for taking us into the field, where 
we will have an opportunity to really reflect on how this type of 
cyber activity impacts on our local communities. 

Modern-day criminals increasingly rely on the internet and ad- 
vanced technologies to spread their criminal operations. I think ev- 
eryone would agree that the internet technology has now emerged 
as a key factor for the majority of organized crime activity. For in- 
stance, criminals can leverage the properties of the internet to 
carry out traditional street crime, such as distributing illicit drugs 
and sex trafficking. But what we are here to talk about today is 
how criminals exploit the digital world to assist crimes that are 
often technology-driven, including identity theft, payment card 
fraud, and intellectual property theft. 

As we will hear today, the FBI considers high-tech crimes to be 
the most significant crimes confronting the United States as a Na- 
tion, and we, on the subcommittee, have shown an increasing inter- 
est in guaranteeing the Federal Government has the tools and ca- 
pabilities to combat modern-day crime, particularly those with 
cyber components, while safeguarding privacy rights. 
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Today’s cyber criminals make their crimes more profitable by 
choosing specialties, and creating cyber networks of colleagues. 
These types of criminals can victimize individuals and organiza- 
tions alike. They generally are motivated by self-interest and profit, 
but cyber crimes can have public health and National security con- 
sequences, especially when cyber crimes are directed towards crit- 
ical infrastructure, such as our hospitals, water systems, Govern- 
mental entities, or our Nation’s financial systems. 

U.S. officials face the challenging task of identifying the per- 
petrators of malicious cyber incidents, in which victim and criminal 
can be far removed from one another. The person or persons behind 
an incident can range from lone actors to expansive criminal net- 
works, or even nation-states. This challenge of attribution is fur- 
ther compounded by the anonymity afforded by the digital realm. 

It can sometimes be difficult to determine the actor’s motivation. 
Is the criminal driven by greed or glory, in the forms of recognition 
among fellow criminals in the cyber world, or does the criminal 
have broader ideological motives? Finding the answers to these 
questions is key to distinguishing between cyber crimes and other 
cyber threats, such as cyber attacks, cyber espionage, and cyber 
warfare. Relevant distinctions exist between these various mali- 
cious activities in the cyber domain, just as lines have been drawn 
between their real-world counterparts, and today’s hearing will 
help us understand those distinctions. 

In July 2011 the Obama administration released a strategy to 
combat transnational organized crime, addressing converging 
threats to National security. This strategy provides the Federal 
Government’s first broad conceptualization of transnational orga- 
nized crime, highlighting it as a National security concern. It high- 
lights 10 primary threat categories posed by transnational orga- 
nized cyber crime, penetration of state institutions, corruption, and 
the threats to governance, threats to the economy, threats to U.S. 
competitiveness in strategic markets, the nexus between criminals, 
terrorists, and insurgents, expansion of drug trafficking, human 
smuggling, trafficking in persons, weapons trafficking, intellectual 
property theft, and finally, cyber crime. 

The President’s strategy outlies, excuse me, outlines key actions 
to counter the range of threats posed by building international ca- 
pacity, cooperation, and partnerships, and taking shared responsi- 
bility to identify what actions Federal, State, and local entities can 
take to protect against the threat, and impact on transnational 
cyber crime. 

We are here today to discuss complex prosecutorial and inves- 
tigative problems that face law enforcement officials and companies 
when dealing with cyber crime, and I look forward to your testi- 
mony. With that, Mr. Chairman, I yield back. 

Mr. Meehan. I want to thank the Ranking Member for her open- 
ing statement, and I want to express now my deep appreciation to 
my colleague from Bucks County, Congressman Fitzpatrick, for 
joining us today, and I recognize him for any opening statement he 
may like to make. 

Mr. Fitzpatrick. This is an issue that affects just about every 
sector of our lives, sector of our industry. As the Chairman did 
thank Drexel University, not only for hosting us, but for your inter- 



6 


est in the issue of cyber terrorism, for what you have done so far 
in teaching students, and being involved in the community, and 
what we know you will continue to do in the future. 

The committee on which I serve, which is Financial Services, 
held a subcommittee hearing on this exact subject just last month, 
and we were also joined at the subcommittee hearing by law en- 
forcement and financial service industry representatives, and it 
was a really informative hearing. 

The subject of this morning’s hearing is an important subject 
that we cannot spend enough time on. Cybersecurity has privacy, 
financial, law enforcement, and, quite frankly, National defense im- 
plications. This is a critical issue that is not only — that is only 
going to grow in importance as we come to rely even more on dig- 
ital and cyber infrastructure, and cyber transactions. 

During the Financial Services hearing I mentioned, the feedback 
that I was hearing, and from small community financial institu- 
tions back home in my district in Bucks County, Pennsylvania, was 
how they and their customers are increasingly concerned about cy- 
bersecurity. For them, the cost is not just the money that is stolen, 
but they are also responsible for notifying customers and for replac- 
ing credit cards and debit cards after the incident occurs. That 
takes manpower. That has material costs. These costs are borne by 
financial institutions of all sizes, but are disproportionately burden- 
some to community banks and small financial institutions, and 
credit unions as well. 

Protecting personal information and financial data is a shared 
responsibility. It is going to take collaboration and cooperation 
among retailers, private institutions, and financial service pro- 
viders. As this hearing will explore, the Government has an impor- 
tant role to play not only in law enforcement, but ensuring that in- 
dividuals, businesses, and public property are protected. After all 
these are homeland security issues. It is not just criminals who are 
seeking to exploit security lapses, but also nation-states, and non- 
state enemies of the United States who could, and have, attacked 
our banking sectors, as well as other critical infrastructure areas. 

So, again, I am very interested in this topic. I appreciate the 
Chairman calling the hearing here in the City of Brotherly Love, 
the city of Philadelphia. We are all looking forward to the testi- 
mony of the two panels today, and I appreciate the chance to par- 
ticipate. 

Mr. Meehan. I thank the Congressman for being here. We are 
pleased as well to have two distinguished panels of witnesses be- 
fore us today on this important topic. I am going to introduce the 
first panel, and then recognize each of you for your testimony. 

First, to my left, is Mr. Ari Baranoff. He is an assistant special 
agent in charge of the criminal investigative division with the 
United States Secret Service. Mr. Baranoff has had over 19 years 
of Federal law enforcement experience, the majority of which has 
been with the Secret Service. He is currently assigned to the Secret 
Service headquarters in Washington, DC, and is the manager of 
the cyber investigations branch, where he has overseen the inves- 
tigation and capture of the Secret Service’s most wanted financial 
criminals. 
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Prior to assuming command of the cyber investigations branch, 
Mr. Baranoff led the New York Electronic Crimes Task Force, and 
it is a — I am greatly appreciative that you would travel from Wash- 
ington to be with us here today. All of our witnesses are among the 
Nation’s top experts in these areas. 

Richard Quinn, from the Federal Bureau of Investigation, is an 
assistant special agent in charge here in the Philadelphia field of- 
fice. He focuses on National security issues. Prior to his work in 
the Philadelphia field office, Mr. Quinn was an FBI counterter- 
rorism agent in New York. Mr. Quinn witnessed the horrific at- 
tacks on the World Trade Center on September 11, 2011, and was 
one of five agents assigned to the primary team to investigate the 
aftermath. That is the kind of an incident that always lingers in 
our minds, and I think one day after the first anniversary of the 
Boston bombings as well, we still live with a very real recognition 
that — a lot of why we are here today, and the great work you are 
doing protecting our homeland from the threat of terror, in addition 
to things like the cyber threat. 

Here from the local law enforcement community, representing 
his colleagues from across the region, is district attorney for Dela- 
ware County, Pennsylvania, Jack Whelan. Jack was elected in No- 
vember 2011. As a district attorney, DA Whelan’s responsible for 
the prosecution of criminal offenses within the jurisdiction of Dela- 
ware County, including homicides and drug enforcement, as well as 
cyber crime. Before becoming district attorney, Mr. Whelan served 
as the chairman of the Delaware County Council, where he took a 
lead on many public safety issues that focused on homeland secu- 
rity. I might add, the Internet Crimes Against Children Task Force 
is housed in the District Attorney’s Office for the State-wide region 
in Delaware County, and it has been a mechanism by which that 
office, working with a consortium, has been at the cutting edge of 
cyber investigations across the board. 

So I want to thank all of you for being here. The full written 
statements of the witnesses will appear in the record. So we don’t 
have the usual demands that we might customarily have because 
of the size of our committee here this morning, but I will still ask 
you to do your best to stay within the time frames, to the extent 
that you can. So, at this point, I will recognize Mr. Baranoff for 
your opening statement. 

STATEMENT OF ARI BARANOFF, ASSISTANT SPECIAL AGENT 

IN CHARGE, CRIMINAL INVESTIGATIVE DIVISION, UNITED 

STATES SECRET SERVICE 

Mr. Baranoff. Thank you, sir. Good morning, Chairman Mee- 
han, Ranking Member Clarke, and distinguished Members of the 
subcommittee. Thank you for the opportunity to testify here at 
Drexel University on behalf of the Department of Homeland Secu- 
rity regarding the cyber crime threats our Nation faces, and how 
law enforcement works with the private sector to prevent cyber 
crime. 

Our modern financial system depends on information technology 
for convenience and efficiency. Accordingly, criminals motivated by 
greed have adapted their methods, and are increasingly using 
cyber space to exploit our Nation’s financial payment systems to 
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engage in fraud and other illicit activities. The widely-reported pay- 
ment card data breaches of Target, Nieman Marcus, White Lodg- 
ing, and other retailers are just recent examples of this trend. The 
U.S. Secret Service is investigating these recent data breaches, and 
we are confident that we will bring the criminals responsible to jus- 
tice. 

However, what you don’t hear in the news coverage is the nu- 
merous data breaches the Secret Service prevents by discreetly 
working with businesses to disrupt and thwart the plans of cyber 
criminals. This year is the 30th anniversary of when Congress first 
defined as specific Federal crimes both unauthorized access to com- 
puters and access device fraud, while explicitly assigning the Secret 
Service authority to investigate these crimes. Over the past 3 dec- 
ades the Secret Service has continuously innovated in how we in- 
vestigate these crimes to defeat the criminal organizations respon- 
sible for major data breaches. 

In support of the Department of Homeland Security’s mission to 
safeguard and secure cyber space, the Secret Service uses a variety 
of investigative methods to develop information regarding the most 
capable cyber threat actors. To prevent losses, we share informa- 
tion with victim companies of on-going or planned network intru- 
sions to prevent any financial losses. 

To accomplish this mission, the Secret Service currently operates 
a network of 35 electronic crimes task forces, which in 2001 Con- 
gress assigned the mission of preventing, detecting, and inves- 
tigating various forms of electronic crimes, including potential ter- 
rorist attacks against critical infrastructure and financial payment 
systems. In addition, through our department’s National Cyberse- 
curity and Communications Integration Center, the NCCIC, the Se- 
cret Service also widely shares technical cybersecurity information, 
while protecting civil rights and civil liberties in order to enable 
other organizations to reduce their cyber risks by mitigating tech- 
nical vulnerabilities. As a result of our cyber crime investigations 
over the past 4 years, the Secret Service has arrested nearly 5,000 
cyber criminals. In total, these criminals were responsible for over 
a billion dollars in fraud losses. We estimate our investigations pre- 
vented over $11 billion in fraud losses. 

Secret Service is committed to building the cybersecurity capac- 
ity of our Nation, and developing a greater understanding of cyber- 
security threats. Universities and research institutions like Drexel, 
and its recently-opened cybersecurity institute, are critical partners 
of the Secret Service in these efforts. Drexel University continues 
to be a valued member of our Philadelphia Electronic Crimes Task 
Force, and this highly-productive partnership is an excellent exam- 
ple of the sort of relationships the Secret Service has developed 
with over 200 academic institutions Nation-wide to our electronic 
crimes task forces. The Secret Service also partners with the pri- 
vate sector and academia to research cyber threats, and publish in- 
formation on cyber crime trends, through reports like the Carnegie- 
Mellon CERT Insider Threat Study, the Verizon Data Breach In- 
vestigations Report, and the Trustwave Global Security Report. 

Secret Service develops the capability of State and local law en- 
forcement to investigate cyber crime. At our National Computer 
Forensics Institute in Hoover, Alabama, the Secret Service trains 
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hundreds of State and local law enforcement in methods for inves- 
tigating cyber crime. Since opening in 2008, the institute has held 
over 150 cyber and digital forensics courses in 16 separate subjects, 
and trained and equipped more than 3,000 police investigators, 
prosecutors, and judges from all 50 States, and three U.S. terri- 
tories. These graduates represent more than 1,000 agencies Nation- 
wide, and include 52 law enforcement officials right here in the 
Philadelphia Metropolitan area. 

Secret Service has a long history of protecting our Nation’s finan- 
cial system from threats. In 1865 the threat we were founded to 
address was that of counterfeit currency. As our financial payment 
system has evolved from paper, to plastic, to now digital informa- 
tion, so too has our investigative mission. The Secret Service is 
committed to continuing to protect our Nation, even as criminals 
increasingly use cyber space to engage in criminal activity. 

Thank you for the opportunity to testify on this important topic, 
and I look forward to your questions. 

[The prepared statement of Mr. Baranoff follows:] 

Prepared Statement of Ari Baranoff 
April 16, 2014 

Good morning Chairman Meehan, Ranking Member Clarke, and distinguished 
Members of the subcommittee. Thank you for the opportunity to testify here at 
Drexel University on the risks and challenges the Nation faces from cyber crime and 
the importance of partnering with the private sector to address these challenges. 
Based on the United States Secret Service’s (Secret Service) 3 decades of experience 
investigating cyber crime and the understanding we have developed regarding the 
modern transnational organized cyber crime threat to our Nation, I hope to provide 
this subcommittee useful insight into these issue from a Federal law enforcement 
perspective. 


THE ROLE OF THE SECRET SERVICE 

The Secret Service was founded in 1865 to protect the U.S. financial system from 
the counterfeiting of our National currency. As the Nation’s financial system evolved 
from paper to plastic to electronic transactions, so too has the Secret Service’s inves- 
tigative mission. Today, our modern financial system depends heavily on informa- 
tion technology for convenience and efficiency. Accordingly, criminals have adapted 
their methods and are increasingly using cyber space to exploit our Nation’s finan- 
cial payment system by engaging in fraud and other illicit activities. This is not a 
new trend; criminals have been committing cyber financial crimes since at least 
1970. 1 

Congress promulgated 18 USC §§ 1029-1030 as part of enacting the Comprehen- 
sive Crime Control Act of 1984. Those subsections explicitly assigned the Secret 
Service authority to investigate these criminal violations. 2 They first established as 
specific Federal crimes unauthorized access to computers 3 and the fraudulent use, 
or trafficking of, access devices 4 — defined as any piece of information or tangible 
item that is a means of account access that can be used to obtain money, goods, 
services, or other thing of value. 5 

Secret Service investigations have resulted in the arrest and successful prosecu- 
tion of cyber criminals involved in the largest known data breaches, including those 
of TJ Maxx, Dave & Buster’s, Heartland Payment Systems, and others. Over the 


1 Beginning in 1970, and over the course of 3 years, the chief teller at the Park Avenue branch 
of New York’s Union Dime Savings Bank manipulated the account information on the bank’s 
computer system to embezzle over $1.5 million from hundreds of customer accounts. This early 
example of cyber crime not only illustrates the long history of cyber crime, but the difficulty 
companies have in identifying and stopping cyber criminals in a timely manner — a trend that 
continues today. 

2 See 18 USC §§ 1029(d) & 1030(d)(1). 

3 See 18 USC §1030. 

4 See 18 USC §1029. 

5 See 18 USC § 1029(e)(1). 
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past 4 years Secret Service cyber crime investigations have resulted in over 4,900 
arrests, associated with approximately $1.37 billion in fraud losses and the preven- 
tion of over $11.24 billion in potential fraud losses, with a 99.5% conviction rate in 
cases that go to trial. Through our work with our partners at the Department of 
Justice (DOJ), in particular the local U.S. Attorney Offices, the Computer Crime 
and Intellectual Property Section (CCIPS), the International Organized Crime Intel- 
ligence and Operations Center (IOC-2), and others, we are confident we will con- 
tinue to bring the cyber criminals that perpetrate major data breaches to justice. 

THE TRANSNATIONAL CYBER CRIME THREAT 

Advances in computer technology and greater access to personally identifiable in- 
formation (PII) via the internet have created on-line marketplaces for transnational 
cyber criminals to share stolen information and criminal methodologies. As a result, 
the Secret Service has observed a marked increase in the quality, quantity, and 
complexity of cyber crimes targeting private industry and critical infrastructure. 
These crimes include network intrusions, hacking attacks, malicious software, and 
account takeovers leading to significant data breaches affecting every sector of the 
world economy. The recently reported data breaches of Target and Neiman Marcus 
are just the most recent, well-publicized examples of this decade-long trend of major 
data breaches perpetrated by cyber criminals who are intent on targeting our Na- 
tion’s retailers and financial payment systems. 

The increasing level of collaboration among cyber criminals allows them to com- 
partmentalize their operations, greatly increasing the sophistication of their crimi- 
nal endeavors as they develop expert specialization. These specialties raise both the 
complexity of investigating these cases, as well as the level of potential harm to 
companies and individuals. For example, illicit underground cyber crime market- 
places allow criminals to buy, sell, and trade malicious software, access to sensitive 
networks, spamming services, payment card data, PII, bank account information, 
brokerage account information, hacking services, and counterfeit identity docu- 
ments. These illicit digital marketplaces vary in size, with some of the more popular 
sites boasting membership of approximately 80,000 users. These digital market- 
places often use various digital currencies, and cyber criminals have made extensive 
use of digital currencies to pay for criminal goods and services or launder illicit pro- 
ceeds. 

The Secret Service has successfully investigated many underground cyber crimi- 
nal marketplaces. In one such infiltration, the Secret Service initiated and con- 
ducted a 3-year investigation that led to the indictment of 11 perpetrators allegedly 
involved in hacking nine major U.S. retailers and the theft and sale of more than 
40 million credit and debit card numbers. The investigation revealed that defend- 
ants from the United States, Estonia, China, and Belarus successfully obtained 
credit and debit card numbers by hacking into the wireless computer networks of 
major retailers — including TJ Maxx, BJ’s Wholesale Club, Office Max, Boston Mar- 
ket, Barnes & Noble, Sports Authority, and Dave & Buster’s. Once inside the net- 
works, these cyber criminals installed “sniffer” programs 6 that would capture card 
numbers, as well as password and account information, as they moved through the 
retailers’ credit and debit processing networks. After the data was collected, the con- 
spirators concealed the information in encrypted computer servers that they con- 
trolled in the United States and Eastern Europe. The credit and debit card numbers 
were then sold through on-line transactions to other criminals in the United States 
and Eastern Europe. The stolen numbers were “cashed out” by encoding card num- 
bers on the magnetic strips of blank cards. The defendants then used these fraudu- 
lent cards to withdraw tens of thousands of dollars at a time from ATMs. The de- 
fendants were able to conceal and launder their illegal proceeds by using anony- 
mous internet-based digital currencies within the United States and abroad, and by 
channeling funds through bank accounts in Eastern Europe. 7 

In data breaches like these the effects of the criminal acts extended well beyond 
the companies compromised, potentially affecting millions of individual card holders. 
Proactive and swift law enforcement action protects consumers by preventing and 
limiting the fraudulent use of payment card data, identity theft, or both. Cyber 
crime directly impacts the U.S. economy by requiring additional investment in im- 
plementing enhanced security measures, inflicting reputational damage on U.S. 


6 Sniffers are programs that detect particular information transiting computer networks, and 
can be used by criminals to acquire sensitive information from computer systems. 

7 Additional information on the criminal use of digital currencies can be referenced in testi- 
mony provided by U.S. Secret Service Special Agent in Charge Edward Lowery before the Sen- 
ate Homeland Security and Governmental Affairs Committee in a hearing titled, “Beyond Silk 
Road: Potential Risks, Threats, and Promises of Virtual Currencies” (November 18, 2013). 
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firms, and direct financial losses from fraud — all costs that are ultimately passed 
on to consumers. 

SECRET SERVICE STRATEGY FOR COMBATING THIS THREAT 

The Secret Service proactively investigates cyber crime using a variety of inves- 
tigative means to infiltrate these transnational cyber criminal groups. As a result 
of these proactive investigations, the Secret Service is often the first to learn of 
planned or on-going data breaches and is quick to notify financial institutions and 
the victim companies with actionable information to mitigate the damage from the 
data breach and terminate the criminal’s unauthorized access to their networks. 
One of the most poorly understood facts regarding data breaches is that it is rarely 
the victim company that first discovers the criminal’s unauthorized access to their 
network; rather it is law enforcement, financial institutions, or other third parties 
that identify and notify the likely victim company of the data breach by identifying 
the common point of origin of the sensitive data being trafficked in cyber crime mar- 
ketplaces. 

A trusted relationship with the victim is essential for confirming the crime, reme- 
diating the situation, beginning a criminal investigation, and collecting evidence. 
The Secret Service’s global network of field offices, including our 35 Electronic 
Crimes Task Forces (ECTFs), are essential for building and maintaining these trust- 
ed relationships, along with the Secret Service’s commitment to protecting victims’ 
privacy and the confidentiality of their information. 

When the Secret Service identifies a potential network intrusion, the Secret Serv- 
ice contacts the owner of the suspected compromised computer systems in order to 
assess the data breach and to stop the continued theft of sensitive information and 
the exploitation of a network. Once the victim of a data breach confirms that unau- 
thorized access to their networks has occurred, the Secret Service works with the 
local U.S. Attorney’s office, or appropriate State and local officials, to begin a crimi- 
nal investigation of the potential violation of 18 USC § 1030. During the course of 
this criminal investigation, the Secret Service identifies the malware and means of 
access used to acquire data from the victim’s computer network. In order to enable 
other companies to mitigate their cyber risk based on current cyber crime methods, 
we quickly share information concerning the cybersecurity incident with the widest 
audience possible, while protecting grand jury information, the integrity of on-going 
criminal investigations, and the victims’ privacy and confidentiality. We share this 
cybersecurity information through: 

• Our Department’s National Cybersecurity & Communications Integration Cen- 
ter (NCCIC); 

• The Information Sharing and Analysis Centers (ISAC); 

• Our ECTFs; 

• The publication of joint industry notices; 

• Our numerous partnerships developed over the past 3 decades in investigating 
cyber crimes; and, 

• Contributions to leading industry and academic reports like the Verizon Data 
Breach Investigations Report, the Trustwave Global Security Report, and the 
Carnegie Mellon CERT Insider Threat Study. 

As we share cybersecurity information discovered in the course of our criminal in- 
vestigation, we also continue our investigation in order to apprehend and bring to 
justice those involved. Due to the inherent challenges in investigating transnational 
crime, particularly the lack of cooperation of some countries with law enforcement 
investigations, occasionally it takes years to finally apprehend the top tier criminals 
responsible. For example, Dmitriy Smilianets and Vladimir Drinkman were arrested 
in June 2012, as part of a multi-year investigation by the Secret Service, while they 
were traveling in the Netherlands thanks to the assistance of Dutch law enforce- 
ment. The alleged total fraud loss from their cyber crimes exceeds $105 million. 

As a part of our cyber crime investigations, the Secret Service also targets individ- 
uals who operate illicit infrastructure that supports the transnational organized 
cyber criminal. For example, in May 2013 the Secret Service, as part of a joint in- 
vestigation through the Global Illicit Financial Team, shut down the digital cur- 
rency provider Liberty Reserve. Liberty Reserve is alleged to have had more than 
1 million users worldwide and to have laundered more than $6 billion in criminal 
proceeds. This case is believed to be the largest money laundering case ever pros- 
ecuted in the United States and is being jointly prosecuted by the U.S. Attorney’s 
Office for the Southern District of New York and DOJ’s Asset Forfeiture and Money 
Laundering Section. In a coordinated action with the Department of the Treasury, 
Liberty Reserve was identified as a financial institution of primary money laun- 



12 


dering concern under Section 311 of the USA PATRIOT Act, effectively cutting it 
off from the U.S. financial system. 

COLLABORATION WITH OTHER FEDERAL AGENCIES AND INTERNATIONAL LAW 

ENFORCEMENT 

While cyber criminals operate in a world without borders, the law enforcement 
community does not. The increasingly multi-national, multi-jurisdictional nature of 
cyber crime cases has increased the time and resources needed for successful inves- 
tigation and adjudication. The partnerships developed through our ECTFs, the sup- 
port provided by our Criminal Investigative Division, the liaison established by our 
overseas offices, and the training provided to our special agents via Electronic 
Crimes Special Agent Program are all instrumental to the Secret Service’s success- 
ful network intrusion investigations. 

One example of the Secret Service’s success in these investigations is the case in- 
volving Heartland Payment Systems. As described in the August 2009 indictment, 
a transnational organized criminal group allegedly used various network intrusion 
techniques to breach security and navigate the credit card processing environment. 
Once inside the networks, they installed “sniffer” programs to capture card num- 
bers, as well as password and account information. The Secret Service investigation, 
the largest and most complex data breach investigation ever prosecuted in the 
United States, revealed that data from more than 130 million credit card accounts 
were at risk of being compromised and exfiltrated to a command-and-control server 
operated by an international group directly related to other on-going Secret Service 
investigations. During the course of the investigation, the Secret Service uncovered 
that this international group committed other intrusions into multiple corporate 
networks to steal credit and debit card data. The Secret Service relied on various 
investigative methods, including subpoenas, search warrants, and Mutual Legal As- 
sistance Treaty (MLAT) requests to identify three main suspects. As a result of the 
investigation, these primary suspects were indicted for various computer-related 
crimes. The lead defendant in the indictment pled guilty and was sentenced to 20 
years in Federal prison. This investigation is on-going with over 100 additional vic- 
tim companies identified. 

Recognizing these complexities, several Federal agencies are collaborating to in- 
vestigate cases and identify proactive strategies. Greater collaboration within the 
Federal, State, and local law enforcement community enhances information sharing, 
promotes efficiency in investigations, and facilitates efforts to de-conflict in cases of 
concurrent jurisdiction. For example, the Secret Service has collaborated extensively 
with DOJ’s CCIPS, which “prevents, investigates, and prosecutes computer crimes 
by working with other government agencies, the private sector, academic institu- 
tions, and foreign counterparts.” 8 The Secret Service’s ECTFs are a natural com- 
plement to CCIPS, resulting in an excellent partnership over the years. In the last 
decade, nearly every major cyber investigation conducted by the Secret Service has 
benefited from CCIPS contributions. 

The Secret Service also partners with numerous international law enforcement 
agencies, including the FBI. For example, in August 2010, a joint operation yielded 
the seizure of 143 computer systems — one of the largest international seizures of 
digital media obtained by U.S. law enforcement — consisting of 85 terabytes of data, 
which was transferred to law enforcement authorities in the United States. The 
data was seized from a criminal internet service provider located in Odessa, 
Ukraine, also referred to as a “Bullet Proof Hoster.” 

The case of Vladislav Horohorin is another example of successful cooperation be- 
tween the Secret Service and its law enforcement partners around the world. Mr. 
Horohorin, one of the world’s most notorious traffickers of stolen financial informa- 
tion, was arrested while traveling in France on August 25, 2010, pursuant to a re- 
quest for his provisional arrest with a view toward extradition to the United States. 
Mr. Horohorin created the first fully-automated on-line store which held stolen cred- 
it card data for sale. Both CCIPS and the Office of International Affairs at DOJ 
played critical roles in this apprehension. 

Apprehending transnational cyber criminals like these is made possible by the Se- 
cret Service’s 24 international field offices developing close partnerships with nu- 
merous foreign law enforcement agencies in order to combat transnational crime. To 
strengthen our ability to investigate transnational cyber crime, the Secret Service 
maintains ECTFs in London and Rome, has assigned agents to INTERPOL and 
EUROPOL, and operates cyber crime working groups in the Netherlands, Estonia, 


8 U.S. Department of Justice, (n.d.). Computer Crime & Intellectual Property Section: About 
CCIPS. Retrieved from http:/ / www.justice.gov / criminal / cybercrime / . 
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Lithuania, Latvia, Ukraine, and Germany. The Secret Service also trains numerous 
international partners on investigating cyber crime; in the past 3 years the Secret 
Service has trained over 500 law enforcement officials representing over 90 coun- 
tries in investigating cyber crimes. 

The Secret Service investigations of transnational crime are facilitated by the 
dedicated efforts of both the Department of State and the DOJ’s Office of Inter- 
national Affairs to execute MLATs and other forms of international law enforcement 
cooperation, in addition to the personal relationships that develop between Secret 
Service agents and their foreign counterparts through these working groups and 
training efforts. 

Within DHS, the Secret Service benefits from a close relationship with Immigra- 
tion and Customs Enforcement’s Homeland Security Investigations (ICE-HSI). 
Since 1997, the Secret Service, ICE-HSI, and IRS-CI have jointly trained on com- 
puter investigations through the Electronic Crimes Special Agent Program (ECSAP). 
ICE-HSI is also a member of Secret Service ECTFs, and ICE-HSI and the Secret 
Service have partnered on numerous cyber crime investigations including the recent 
take-down of the digital currency Liberty Reserve. 

To further its cybersecurity information-sharing efforts, the Secret Service has 
strengthened its relationship with the National Protection and Programs Direc- 
torate (NPPD), including the NCCIC. As the Secret Service identifies malware, sus- 
picious IPs, and other information through its criminal investigations, it shares in- 
formation with our Department’s NCCIC. The Secret Service continues to build 
upon its full-time presence at NCCIC to coordinate its cyber programs with other 
Federal agencies. 

As a part of these efforts, and to ensure that information is shared in a timely 
and effective manner, the Secret Service has personnel assigned to the following 
DHS and non-DHS entities: 

• NPPD’s National Cybersecurity & Communications Integration Center 
(NCCIC); 

• NPPD’s Office of Infrastructure Protection; 

• DHS’s Science and Technology Directorate (S&T); 

• The National Cyber Investigative Joint Task Force (NCIJTF); 

• Each FBI Joint Terrorism Task Force (JTTF), including the National JTTF; 

• Department of the Treasury — Office of Terrorist Financing and Financial 
Crimes (TFFC); 

• Department of the Treasury — Financial Crimes Enforcement Network 
(FinCEN); 

• Central Intelligence Agency; 

• DOJ’s International Organized Crime and Intelligence Operations Center (IOC- 

21 ; 

• Drug Enforcement Administration’s Special Operations Division; 

• EUROPOL; and 

• INTERPOL. 

The Secret Service is committed to ensuring that all its information-sharing ac- 
tivities comply with applicable laws, regulations, and policies, including those that 
pertain to privacy, confidentiality, and civil liberties. 

SECRET SERVICE FRAMEWORK 

To protect our financial infrastructure, industry, and the American public, the Se- 
cret Service has adopted a multi-faceted approach to aggressively combat cyber and 
computer-related crimes. 

Electronic Crimes Task Forces 

In 1995, the Secret Service New York Field Office established the New York Elec- 
tronic Crimes Task Force (ECTF) to combine the resources of academia, the private 
sector, and local, State, and Federal law enforcement agencies to combat computer- 
based threats to our financial payment systems and critical infrastructures. In 2001, 
Congress directed the Secret Service to establish a Nation-wide network of ECTFs 
to “prevent, detect, and investigate various forms of electronic crimes, including po- 
tential terrorist attacks against critical infrastructure and financial payment sys- 
tems.” 9 

Secret Service field offices currently operate 35 ECTFs, including two based over- 
seas in Rome, Italy, and London, England. Membership in our ECTFs includes: 
Over 4,000 private-sector partners; over 2,500 international, Federal, State, and 
local law enforcement partners; and over 350 academic partners. By joining our 


9 See Public Law 107-56 Section 105 (appears as note following 18 U.S.C. §3056). 
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ECTFs, our partners benefit from the resources, information, expertise, and ad- 
vanced research provided by our international network of members while focusing 
on issues with significant regional impact. 

Cyber Intelligence Section 

Another example of our partnership approach with private industry is our Cyber 
Intelligence Section (CIS) which analyzes evidence collected as a part of Secret Serv- 
ice investigations and disseminates information in support of Secret Service inves- 
tigations world-wide and generates new investigative leads based upon its findings. 
CIS leverages technology and information obtained through private-sector partner- 
ships to monitor developing technologies and trends in the financial payments in- 
dustry for information that may be used to enhance the Secret Service’s capabilities 
to prevent and mitigate attacks against the financial and critical infrastructures. 
CIS also has an operational unit that investigates international cyber criminals in- 
volved in cyber intrusions, identity theft, credit card fraud, bank fraud, and other 
computer-related crimes. The information and coordination provided by CIS is a cru- 
cial element to successfully investigating, prosecuting, and dismantling inter- 
national criminal organizations. 

Electronic Crimes Special Agent Program 

A central component of the Secret Service’s cyber crime investigations is its Elec- 
tronic Crimes Special Agent Program (ECSAP), which is comprised of nearly 1,400 
Secret Service special agents who have received at least one of three levels of com- 
puter crimes-related training. 

Level I — Basic Investigation of Computers and Electronic Crimes (BICEP). — The 
BICEP training program focuses on the investigation of electronic crimes and pro- 
vides a brief overview of several aspects involved with electronic crimes investiga- 
tions. This program provides Secret Service agents and our State and local law en- 
forcement partners with a basic understanding of computers and electronic crime 
investigations and is now part of our core curriculum for newly-hired special agents. 

Level II — Network Intrusion Responder (ECSAP-NI). — ECSAP-NI training pro- 
vides special agents with specialized training and equipment that allows them to 
respond to and investigate network intrusions. These may include intrusions into 
financial sector computer systems, corporate storage servers, or various other tar- 
geted platforms. The Level II trained agent will be able to identify critical artifacts 
that will allow for effective investigation of identity theft, malicious hacking, unau- 
thorized access, and various other related electronic crimes. 

Level III — Computer Forensics (ECSAP-CF). — ECSAP-CF training provides spe- 
cial agents with specialized training and equipment that allows them to investigate 
and forensically obtain digital evidence to be utilized in the prosecution of various 
electronic crimes cases, as well as criminally-focused protective intelligence cases. 

These agents are deployed in Secret Service field offices throughout the world and 
have received extensive training in forensic identification, as well as the preserva- 
tion and retrieval of electronically-stored evidence. ECSAP-trained agents are com- 
puter investigative specialists, qualified to conduct examinations on all types of elec- 
tronic evidence. These special agents are equipped to investigate the continually 
evolving arena of electronic crimes and have proven invaluable in the successful 
prosecution of criminal groups involved in computer fraud, bank fraud, identity 
theft, access device fraud, and various other electronic crimes targeting our financial 
institutions and private sector. 

National Computer Forensics Institute 

The National Computer Forensics Institute (NCFI), located in Hoover, AL, is the 
result of a partnership between the Secret Service, NPPD, the State of Alabama, 
and the Alabama District Attorney’s Association. The goal of this facility is to pro- 
vide a National standard of training for a variety of electronic crimes investigations. 
The program offers State and local law enforcement officers and prosecutors the 
training necessary to perform computer forensics examinations, respond to network 
intrusion incidents, and to conduct electronic crimes investigations, while judges re- 
ceive general education in these areas. Since opening in 2008, the institute has held 
over 150 cyber and digital forensics courses in 16 separate subjects and trained and 
equipped more than 3,000 State and local officials, including more than 2,300 police 
investigators, 840 prosecutors, and 230 judges from all 50 States and three U.S. ter- 
ritories. These NCFI graduates represent more than 1,000 agencies Nation-wide. 

State and local agencies greatly benefit from this Secret Service-provided edu- 
cation on investigating cyber crime. In some of the advanced forensics and network 
intrusion courses, students are issued all of the hardware, software, and licenses 
necessary to conduct investigations. NCFI students receive the same equipment and 
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advanced software as U.S. Secret Service special agents — a considerable benefit as 
it allows both the local officer and the Federal agent to operate on common systems. 

Graduates of the NCFI return to their respective agencies and apply their newly- 
acquired skills and equipment to investigating computer-based crimes. Additionally, 
these graduates are offered the chance to participate in the Secret Service’s Elec- 
tronic Crimes Task Force (ECTF) program. State and local ECTF members work 
alongside other Federal agencies and private-sector entities to combat the systemic 
flood of cyber-related crimes targeting both private citizens and our Nation’s finan- 
cial infrastructure. These ECTF members also serve as force multiplier for the U.S. 
Secret Service ECSAP program. 

Partnerships with Academia 

The Secret Service has a long history of closely partnering with academia as a 
part of our mission. For example, Drexel University is a valued member of our 
Philadelphia ECTF, and this highly productive partnership to address the chal- 
lenges of cyber crime is an excellent example of the sort of partnerships the Secret 
Service has developed with over 200 academic institutions Nation-wide through our 
ECTFs. The Secret Service is continually expanding its partnerships with academia 
through its 35 Electronic Crimes Task Forces. In addition to the numerous univer- 
sities that are ECTF members, the Secret Service has a close, collaborative relation- 
ship with both Carnegie Mellon and the University of Tulsa. 

In August 2000, the Secret Service and Carnegie Mellon University Software En- 
gineering Institute (SEI) established the Secret Service CERT 10 Liaison Program to 
provide technical support, opportunities for research and development, as well as 
public outreach and education to more than 150 scientists and researchers in the 
fields of computer and network security, malware analysis, forensic development, 
training, and education. Supplementing this effort is research into emerging tech- 
nologies being used by cyber-criminals and development of technologies and tech- 
niques to combat them. 

The primary goals of the program are: To broaden the Secret Service’s knowledge 
of software engineering and networked systems security; to expand and strengthen 
partnerships and relationships with the technical and academic communities; part- 
ner with CERT-SEI and Carnegie Mellon University to support research and devel- 
opment to improve the security of cyberspace and improve the ability of law enforce- 
ment to investigate crimes in a digital age; and to present the results of this part- 
nership at the quarterly meetings of our ECTFs. 

In August 2004, the Secret Service partnered with CERT-SEI to publish the first 
“Insider Threat Study” examining the illicit cyber activity and insider fraud in the 
banking and finance sector. Due to the overwhelming response to this initial study, 
the Secret Service and CERT-SEI, in partnership with DHS Science & Technology 
(S&T), updated the study and released the most recent version just last year, which 
is published at http: // www.cert.org / insider threat/. 

To improve law enforcement’s ability to investigate crimes involving mobile de- 
vices, the Secret Service opened the Cell Phone Forensic Facility at the University 
of Tulsa in 2008. This facility has a three-pronged mission: (1) Training Federal, 
State, and local law enforcement agents in embedded device forensics; (2) developing 
novel hardware and software solutions for extracting and analyzing digital evidence 
from embedded devices; and (3) applying the hardware and software solutions to 
support criminal investigations conducted by the Secret Service and its partner 
agencies. To date, investigators trained at the Cell Phone Forensic Facility have 
completed more than 6,500 examinations on cell phone and embedded devices Na- 
tion-wide. Secret Service agents assigned to the Tulsa facility have contributed to 
over 300 complex cases that have required the development of sophisticated tech- 
niques and tools to extract critical evidence. 

These collaborations with academia, among others, have produced valuable inno- 
vations that have helped strengthen tbe cyber ecosystem and improved law enforce- 
ment’s ability to investigate cyber crime. The Secret Service will continue to partner 
closely with academia and DHS S&T, particularly the Cyber Forensics Working 
Group, to support research and development of innovative tools and methods to sup- 
port criminal investigations. 

LEGISLATIVE ACTION TO COMBAT DATA BREACHES 

While there is no single solution to prevent data breaches of U.S. customer infor- 
mation, legislative action could help to improve the Nation’s cybersecurity, reduce 


10 CERT — not an acronym — conducts empirical research and analysis to develop and transition 
socio-technical solutions to combat insider cyber threats. 
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regulatory costs on U.S. companies, and strengthen law enforcement’s ability to con- 
duct effective investigations. The administration previously proposed law enforce- 
ment provisions related to computer security through a letter from OMB Director 
Lew to Congress on May 12, 2011, highlighting the importance of additional tools 
to combat emerging criminal practices. We continue to support changes like these 
that will keep pace with rapidly-evolving use of information technology and associ- 
ated cybersecurity risks. 


CONCLUSION 

The Secret Service is committed to safeguarding the Nation’s financial payment 
systems by investigating and dismantling criminal organizations involved in cyber 
crime. Responding to the growth in these types of crimes and the level of sophistica- 
tion these criminals employ requires significant resources and greater collaboration 
among law enforcement and its public and private-sector partners. Accordingly, the 
Secret Service dedicates significant resources to improving investigative techniques, 
providing training for law enforcement partners, and raising public awareness. The 
Secret Service will continue to be innovative in its approach to cyber crime and cy- 
bersecurity and is pleased that the subcommittee recognizes the magnitude of these 
issues, the evolving nature of these crimes, and the importance of academic institu- 
tions, like Drexel University, in addressing these issues. 

Mr. Meehan. I want to thank Mr. Baranoff for his testimony, 
and the Chairman now recognizes Mr. Quinn for your testimony. 

STATEMENT OF RICHARD P. QUINN, ASSISTANT SPECIAL 

AGENT IN CHARGE, PHILADELPHIA FIELD OFFICE, FEDERAL 

BUREAU OF INVESTIGATION 

Mr. Quinn. Good morning, Chairman Meehan, Ranking Member 
Clarke. Thank you for inviting me here today to discuss the FBI’s 
role in cybersecurity, and for your on-going support 

Mr. Meehan. Special Agent, is — would you check to see if your 
mike is pushed on? 

Mr. Quinn. Test. 

Mr. Meehan. Just pull it closer to you, then, please. 

Mr. Quinn. Got it. Very good. How is this? Very good. Well, good 
morning, Chairman Meehan, and Ranking Member Clarke, and 
Congressman Fitzpatrick. Thank you for inviting me here today to 
discuss the FBI’s role in cybersecurity, and for your on-going sup- 
port of the Bureau. 

The purpose of this hearing is to discuss Federal, State, and local 
partnerships with private industry as it relates to cybersecurity. To 
that end, it is important to note that the FBI recognizes that in 
order to effectively combat the cyber threat, it is imperative we sig- 
nificantly enhance our collaboration not only with other Govern- 
ment entities, but with the private sector. On one hand, our Na- 
tion’s companies are the primary victims of cyber intrusions, and 
their networks contain the evidence of countless attacks. On the 
other hand, the private sector is the key to defeating this threat. 
The private sector possesses the information, expertise, and knowl- 
edge to be a crucial partner in this endeavor. 

One of the challenges in the past has been that, while private in- 
dustry has provided us information about the attacks, we have not 
always provided information in return. It is in establishing and re- 
fining an exchange of valuable information about cybersecurity 
issues that will allow us to leverage the capabilities of both public 
and private sector in defeating cyber threats. The FBI’s newly es- 
tablished Key Partnership Engagement Unit manages a targeted 
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outreach program focused on building relationships with senior ex- 
ecutives of key private-sector corporations. 

Through utilizing a tiered approach, the FBI is able to prioritize 
our efforts to better correlate potential National security threat lev- 
els with specific critical infrastructure sectors. The Key Partner- 
ship team promotes the FBI’s whole-of-Government and industry 
approach to cybersecurity in investigations by developing a robust 
information exchange platform with corporate partners. Through 
the FBI’s Infraguard program, the FBI develops partnerships and 
working relationships with private sector, academic, and other pub- 
lic/private entity subject-matter experts. Primarily geared towards 
the protection of critical National infrastructure, Infraguard pro- 
motes on-going dialogue and timely communication between a cur- 
rent active membership base of approximately 26,000. 

Infraguard members are encouraged to share information with 
Government that enhances its mission to prevent and address 
criminal and National security issues, and, through the utilization 
of the Guardian for Cyber program, active members are able to re- 
port cyber intrusion incidents in real time to the FBI. Infraguard 
members also benefit from access to robust on- and off-line learning 
courses, connectivity with other members and special interest 
groups, and relevant Government intelligence and updates that en- 
able them to broaden threat awareness, and protect their assets. 

The FBI’s Cyber Initiative and Resource Fusion Unit maximizes 
and develops intelligence and analytical resources received from 
law enforcement, academia, international and critical corporate pri- 
vate-sector subject-matter experts to identify and combat signifi- 
cant actors involved in current and emerging cyber-related criminal 
and National security threats. CIRFU’s core capabilities include a 
partnership with the National Cyber Forensics and Training Alli- 
ance in Pittsburgh, Pennsylvania, where the unit is co-located. 
NCFTA acts as a neutral platform through which the unit develops 
and maintains a liaison with hundreds of formal and informal 
working partners who share real-time threat information, best 
practices, and collaborate on initiatives to target and mitigate 
cyber threats domestically and abroad. 

The FBI recognizes that industry collaboration and coordination 
is critical in combating cyber threats effectively. As part of our en- 
hanced private-sector outreach, we have begun to provide partners 
with Classified threat briefings and other information, and tools to 
better help them repel intruders. Earlier this year, in coordination 
with the Treasury Department, we provided a Classified briefing 
on threats to the financial services industry to executives of more 
than 40 banks, who participated via secured video teleconferences 
in FBI offices across the country. We provided yet another Classi- 
fied briefing on threats to the financial services industry in April 
2014, with 100 banks participating via secure video teleconference 
in those FBI field offices. 

Another illustration of the FBI’s commitment to private-sector 
outreach is our increase in production of our external use products, 
such as the FBI liaison alert system, and private industry notifica- 
tion. We continue to counter the threats we face in engaging in an 
unprecedented level of collaboration with the United States Gov- 
ernment, the private sector, and we are grateful for the commit- 
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tee’s support, and look forward to continuing to work with you, and 
expand our partnerships, as we determine a successful course for- 
ward for the Nation to defeat our cyber adversaries. Thank you. 
[The prepared statement of Mr. Quinn follows:] 

Prepared Statement of Richard P. Quinn 
April 16, 2014 

Good morning Chairman Meehan and Ranking Member Clarke. I thank you for 
holding this hearing today and I look forward to discussing the FBI’s role in cyber- 
security. On behalf of the men and women of the FBI, let me begin by thanking 
you for your on-going support of the Bureau. 

Today’s FBI is a threat-focused, intelligence-driven organization. Each employee 
of the FBI understands that to mitigate the key threats facing our Nation, we must 
constantly strive to be more efficient and more effective. Just as our adversaries 
continue to evolve, so, too, must the FBI. We live in a time of acute and persistent 
terrorist, state-sponsored, and criminal threats to our National security, our econ- 
omy, and our communities. These diverse threats facing our Nation and our neigh- 
borhoods underscore the complexity and breadth of the FBI’s mission. 

We remain focused on defending the United States against terrorism, foreign in- 
telligence, and cyber threats; upholding and enforcing the criminal laws of the 
United States; protecting civil rights and civil liberties; and providing leadership 
and criminal justice services to Federal, State, local, and international agencies and 
partners. 


THE CYBER THREAT & FBI RESPONSE 

We face cyber threats from state-sponsored hackers, hackers for hire, global cyber 
syndicates, and terrorists. They seek our state secrets, our trade secrets, our tech- 
nology, and our ideas — things of incredible value to all of us. They may seek to 
strike our critical infrastructure and our economy. 

Given the scope of the cyber threat, agencies across the Federal Government are 
making cybersecurity a top priority. Within the FBI, we are prioritizing high-level 
intrusions — the biggest and most dangerous botnets, state-sponsored hackers, and 
global cyber syndicates. We want to predict and prevent attacks, rather than simply 
react after the fact. 

FBI agents, analysts, and computer scientists are using technical capabilities and 
traditional investigative techniques — such as sources and wiretaps, surveillance, 
and forensics — to fight cyber crime. We are working side-by-side with our Federal, 
State, and local partners on Cyber Task Forces in each of our 56 field offices and 
through the National Cyber Investigative Joint Task Force (NCIJTF). Through our 
24-hour cyber command center, CyWatch, we combine the resources of the FBI and 
NCIJTF, allowing us to provide connectivity to Federal cyber centers, Government 
agencies, FBI field offices and legal attaches, and the private sector in the event 
of a cyber intrusion. 

We also work with the private sector through partnerships such as the Domestic 
Security Alliance Council, InfraGard, and the National Cyber Forensics and Train- 
ing Alliance. And we are training our State and local counterparts to triage local 
cyber matters, so that we can focus on National security issues. 

In addition, our legal attache offices overseas work to coordinate cyber investiga- 
tions and address jurisdictional hurdles and differences in the law from country to 
country. We are supporting partners at Interpol and The Hague as they work to es- 
tablish international cyber crime centers. We continue to assess other locations to 
ensure that our cyber personnel are in the most appropriate locations across the 
globe. 

We know that to be successful in the fight against cyber crime, we must continue 
to recruit, develop, and retain a highly-skilled workforce. To that end, we have de- 
veloped a number of creative staffing programs and collaborative private-industry 
partnerships to ensure that over the long term we remain focused on our most vital 
resource — our people. 

As the committee is well aware, the frequency and impact of cyber attacks on our 
Nation’s private sector and Government networks have increased dramatically in 
the past decade, and are expected to continue to grow. Since 2002, the FBI has seen 
an 82 percent increase in the number of computer intrusion investigations. 
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RECENT SUCCESSES 

While the FBI and our partners have had multiple recent investigative successes 
against the threat, we are continuing to push ourselves to respond more rapidly and 
prevent attacks before they occur. 

One area in which we recently have had great success with our overseas partners 
is in targeting infrastructure we believe has been used in Distributed Denial of 
Service (DDOS) attacks, and preventing that infrastructure from being used for fu- 
ture attacks. A DDOS attack is an attack on a computer system or network that 
causes a loss of service to users, typically the loss of network connectivity and serv- 
ices by consuming the bandwidth of the victim network. Since October 2012, the 
FBI and the Department of Homeland Security (DHS) have released nearly 168,000 
Internet Protocol addresses of computers that were believed to be infected with 
DDOS malware. We have released this information through Joint Indicator Bul- 
letins (JIBs) to more than 130 countries via DHS’s National Cybersecurity and Com- 
munications Integration Center (NCCIC), where our liaisons provide expert and 
technical advice for increased coordination and collaboration, as well as our Legal 
Attaches overseas. 

These actions have enabled our foreign partners to take action and reduced the 
effectiveness of the botnets and the DDOS attacks. We are continuing to target 
botnets through this strategy and others. 

In April 2013, the FBI Cyber Division initiated an aggressive approach to disrupt 
and dismantle the most significant botnets threatening the economy and National 
security of the United States. This initiative, named Operation Clean Slate, is the 
FBI’s broad campaign to implement appropriate threat neutralization actions 
through collaboration with the private sector, DHS, and other United States Gov- 
ernment partners, and our foreign partners. This includes law enforcement action 
against those responsible for the creation and use of the illegal botnets, mitigation 
of the botnet itself, assistance to victims, public-service announcements, and long- 
term efforts to improve awareness of the botnet threat through community outreach. 
Although each botnet is unique, Operation Clean Slate’s strategic approach to this 
significant threat ensures a comprehensive neutralization strategy, incorporating a 
unified public/private response and a whole-of-Government approach to protect U.S. 
interests. 

The impact botnets has been significant. Botnets have caused over $113 billion 
in losses globally, with approximately 378 million computers infected each year, 
equaling more than 1 million victims per day, translating to 12 victims per second. 

To date, Operation Clean Slate has resulted in several successes. Working with 
our partners, we disrupted the Citadel Botnet. This botnet was designed to facilitate 
unauthorized access to computers of individuals and financial institutions to steal 
on-line banking credentials, credit card information, and other personally identifi- 
able information. Citadel was responsible for the loss of over a half billion dollars. 
As a result of our actions, over 1,000 Citadel domains were seized, accounting for 
more than 11 million victim computers worldwide. In addition, working with foreign 
law enforcement, we arrested a major user of the malware. 

Building on the success of the disruption of Citadel, in December 2013, the FBI, 
Europol, together with Microsoft and other industry partners, disrupted the 
ZeroAccess Botnet. ZeroAccess was responsible for infecting more than 2 million 
computers, specifically targeting search results on Google, Bing, and Yahoo search 
engines, and is estimated to have cost on-line advertisers $2.7 million each month. 

In January 2014, Aleksandry Andreevich Panin, a Russian national, pled guilty 
to conspiracy to commit wire and bank fraud for his role as the primary developer 
and distributer of the malicious software known as “Spyeye” which infected over 1.4 
million computers in the United States and abroad. Based on information received 
from the financial services industry, over 10,000 bank accounts have been com- 
promised by Spyeye infections in 2013 alone. Panin’s co-conspirator, Hamza 
Bendelladj, an Algerian national who helped Panin develop and distribute the 
malware, was also arrested in January 2013 in Bangkok, Thailand. 

NEXT GENERATION CYBER INITIATIVE 

The need to prevent attacks is a key reason the FBI has redoubled our efforts 
to strengthen our cyber capabilities while protecting privacy, confidentiality, and 
civil liberties. The FBI’s Next Generation Cyber Initiative, which we launched in 
2012, entails a wide range of measures, including focusing the Cyber Division on 
intrusions into computers and networks — as opposed to crimes committed with a 
computer as a modality; establishing Cyber Task Forces in each of our 56 field of- 
fices to conduct cyber intrusion investigations and respond to significant cyber inci- 
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dents; hiring additional computer scientists to assist with technical investigations 
in the field; and expanding partnerships and collaboration at the NCIJTF. 

At the NCIJTF — which serves as a coordination, integration, and information 
sharing center among 19 U.S. agencies and our Five Eyes partners for cyber threat 
investigations — we are coordinating at an unprecedented level. This coordination in- 
volves senior personnel at key agencies. NCIJTF, which is led by the FBI, now has 
deputy directors from the NSA, DHS, the Central Intelligence Agency, U.S. Secret 
Service, and U.S. Cyber Command. In the past year we have had our Five Eyes 
partners join us at the NCIJTF. Australia embedded a liaison officer in May 2013, 
the United Kingdom in July 2013, and Canada in January 2014. By developing 
partnerships with these and other nations, NCIJTF is working to become the inter- 
national leader in synchronizing and maximizing investigations of cyber adversaries. 

While we are primarily focused with our Federal partners on cyber intrusions, we 
are also working with our State and local law enforcement partners to identify and 
address gaps in the investigation and prosecution of internet fraud crimes. 

Currently, the FBI’s Internet Crime Complaint Center (IC3) collects reports from 
private industry and citizens about on-line fraud schemes, identifies emerging 
trends, and produces reports about them. The FBI investigates fraud schemes that 
are appropriate for Federal prosecution (based on factors like the amount of loss). 
Others are packaged together and referred to State and local law enforcement. 

The FBI is also working to develop the Wellspring program in collaboration with 
the International Association of Chiefs of Police, the Major City Chiefs Association, 
and the National Sheriffs Association to enhance the internet fraud targeting pack- 
ages IC3 provides to State and local law enforcement for investigation and potential 
prosecution. During the first phase of this program’s development, IC3 worked with 
the Utah Department of Public Safety to develop better investigative leads for direct 
dissemination to State and local agencies. 

Through IC3, Operation Wellspring provided Utah police 22 referral packages in- 
volving over 800 victims, from which the FBI opened 14 investigations. Additionally, 
another 9 investigations were opened and developed from the information provided. 

The following are reported loss totals: 

• IC3-referred investigations = $2,135,264; 

• Cyber Task Force initiated investigations = $385,630; 

• Operation Wellspring/Utah Total = $2,520,894. 

The FBI’s newly-established Guardian for Cyber application, being developed for 
Cyber use by the Guardian Victim Analysis Unit (GVAU), provides a comprehensive 
platform that coordinates and tracks U.S. Government efforts to notify victims or 
targets of malicious cyber activity. 

The FBI is working toward the full utilization of Guardian for Cyber across FBI, 
OGA’s, State, local, Tribal and territorial governments (SLTT’s) as well as industry 
partners, in order to increase awareness of vulnerabilities in infrastructure, forward 
understanding of cyber-related threats and facilitate a coordinated overall cyber in- 
cident response by the U.S. Government. 

PRIVATE SECTOR OUTREACH 

In addition to strengthening our partnerships in Government and law enforce- 
ment, we recognize that to effectively combat the cyber threat, we must significantly 
enhance our collaboration with the private sector. Our Nation’s companies are the 
primary victims of cyber intrusions and their networks contain the evidence of 
countless attacks. In the past, industry has provided us information about attacks 
that have occurred, and we have investigated the attacks, but we have not always 
provided information back. 

The FBI’s newly-established Key Partnership Engagement Unit (KPEU) manages 
a targeted outreach program focused on building relationships with senior execu- 
tives of key private-sector corporations. Through utilizing a tiered approach the FBI 
is able to prioritize our efforts to better correlate potential National security threat 
levels with specific critical infrastructure sectors. 

The KPEU team promotes the FBI’s Government and industry collaborative ap- 
proach to cybersecurity and investigations by developing a robust information ex- 
change platform with its corporate partners. 

Through the FBI’s InfraGard program, the FBI develops partnerships and work- 
ing relationships with private sector, academic, and other public-private entity sub- 
ject-matter experts. Primarily geared toward the protection of critical. National in- 
frastructure, InfraGard promotes on-going dialogue and timely communication be- 
tween a current active membership base of 25,863 (as of April 2014). 

Members are encouraged to share information with Government that better al- 
lows Government to prevent and address criminal and National security issues. 
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Through the utilization of the Guardian for Cyber program, active members are able 
to report cyber intrusion incidents in real time to the FBI. InfraGard members also 
benefit from access to robust on- and off-line learning resources, connectivity with 
other members and special interest groups, and relevant Government intelligence 
and updates that enable them to broaden threat awareness and protect their assets. 

The FBI’s Cyber Initiative & Resource Fusion Unit (CIRFU) maximizes and devel- 
ops intelligence and analytical resources received from law enforcement, academia, 
international, and critical corporate private-sector subject-matter experts to identify 
and combat significant actors involved in current and emerging cyber-related crimi- 
nal and National security threats. CIRFU’s core capabilities include a partnership 
with the National Cyber Forensics and Training Alliance (NCFTA) in Pittsburgh, 
Pennsylvania, where the unit is collocated. NCFTA acts as a neutral platform 
through which the unit develops and maintains liaison with hundreds of formal and 
informal working partners who share real-time threat information, best practices, 
and collaborate on initiatives to target and mitigate cyber threats domestically and 
abroad. In addition, the FBI, Small Business Administration and the National Insti- 
tute of Standards and Technology (NIST) partner together to provide cybersecurity 
training and awareness to small business as well as citizens leveraging the FBI 
InfraGuard program. 

The FBI recognizes that industry collaboration and coordination is critical in our 
combating the cyber threat effectively. As part of our enhanced private-sector out- 
reach, we have begun to provide industry partners with Classified threat briefings 
and other information and tools to better help them repel intruders. Earlier this 
year, in coordination with the Treasury Department, we provided a Classified brief- 
ing on threats to the financial services industry to executives of more than 40 banks 
who participated via secure video teleconference in FBI field offices. We provided 
another Classified briefing on threats to the financial services industry in April 
2014, with 100 banks participating. Another illustration of the FBI’s commitment 
to private-sector outreach is our increase in production of our external use products 
such as the FBI Liaison Alert System (FLASH) reports and Private Industry Notifi- 
cations (PINs). 


CONCLUSION 

In conclusion Chairman Meehan, to counter the threats we face we are engaging 
in an unprecedented level of collaboration within the U.S. Government, with the pri- 
vate sector, and with international law enforcement. 

We are grateful for the committee’s support and look forward to continuing to 
work with you and expand our partnerships as we determine a successful course 
forward for the Nation to defeat our cyber adversaries. 

Mr. Meehan. Thank you, Special Agent Quinn. The Chairman 
now recognizes the district attorney of Delaware County, Jack 
Whelan. 

STATEMENT OF JOHN J. “JACK” WHELAN, DISTRICT 
ATTORNEY, DELAWARE COUNTY, PENNSYLVANIA 

Mr. Whelan. Thank you, Chairman Meehan, Congresswoman 
Clarke, Congressman Fitzpatrick. Good morning. I would like to 
thank you for the opportunity to discuss cybersecurity, and how we 
can work together to better protect the identities of our Delaware 
County residents. It is a great opportunity for me to share a local 
perspective. 

As the committee is well aware, identity theft is the Nation’s 
fastest-growing crime. In law enforcement, we define cyber crime 
as any crime where a computer or the internet is used to commit 
or to conceal a crime. In Delaware County our detectives seen cyber 
crime first-hand in cases where identity thieves steal personal in- 
formation and use it to gain access to a victim’s financial resources. 
These thieves may steal mail, hack into computers, or even enlist 
employees at companies that have legitimate access to personal in- 
formation. They also use e-mail or telephone scams to commit the 
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crime, which is most often seen here in Delaware County, and it 
affects our most vulnerable population, our senior citizens. 

With relatively little information, even low-tech, inexperienced 
criminals can begin opening accounts in another person’s name and 
run up substantial charges. In one case we arrested Dorothy J. Mil- 
ler of Haverford Township for stealing more than $150,000 from 
her employee — employer, Summers Hardwood Floors, located in 
Sharon Hill. After she assumed the identity of the company’s 
owner, John Summers, who had passed away, Miller opened a cred- 
it card in his name and forged numerous checks, using his and his 
wife’s signature. Through handwriting analysis, our detectives 
were able to charge Miller with multiple felony counts of theft, for- 
gery, identity theft, and conspiracy. 

In Delaware County we also see criminals using the internet to 
trick people into giving them money or merchandise. These scams 
run from the small-time bait-and-switch schemes that you might 
see on Craigslist to more sophisticated false websites that are set 
up to look like genuine websites, such as major banks. 

Computers can also be used as instruments of stalking, or har- 
assment via e-mail, or social networking sites. Targeting another 
vulnerable population, computers are used in crimes against our 
children, where the internet is used to traffic child pornography, 
and by predators who entice our children to meet them for sexual 
purposes. Dramatic increases in technology and its availability on 
the consumer level, coupled with a decline in cost, have given those 
who would exploit children a remarkable, effective, and far-reach- 
ing ability with which to do so. 

To combat these crimes, detectives with the Delaware County 
Criminal Investigation Division, Economic Crime Unit, and the of- 
fice’s forensic crime lab, they investigate financial crime. The unit 
receives complaints from our local law enforcement agencies, the 
private sector, as well as the public. Financial crimes can refer to 
any number of nonviolent criminal offenses that involve obtaining 
financial gain through fraud, deceit, misrepresentation, or other 
forms of deception. 

Financial crime is constantly evolving with the times, and is hit- 
ting new frontiers with the age of the internet. Identity theft can 
be committed against a single individual, corporation, or multiple 
victims. It may even be more complex because there can be more 
than one victim. Frequently the crime may not be discovered until 
long after it was committed. Perpetrators may not live in the same 
jurisdiction as the victim, and may commit the crime in several ju- 
risdictions simultaneously, making it difficult for law enforcement 
to detect patterns, and the actual extent of the crime. For example, 
identity theft could be committed against a Delaware County resi- 
dent by a perpetrator in Florida who has committed the same 
crime against several other victims across the State. Given all of 
the above, it is clear that identity theft is a crime that presents 
unique challenges to law enforcement to investigate and to pros- 
ecute. 

The complexities of identity theft cases can slow down, or even 
hinder investigation because of the lack of resources available to 
conduct a cross-jurisdictional investigation. Evidence needed by po- 
lice to solve a cyber crime is often held by the private industry, out- 
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side of the police’s jurisdiction. For this reason, strong partnerships 
are essential to making cross-jurisdictional cooperation work. In- 
vestigation and prosecution can be very time-consuming, due to the 
volumes of records required to be examined, and the time required 
to obtain documents from banks and other financial institutions. 
The unit collaborates with and assists Federal, State, and local law 
enforcement in enforcing State, Federal, and local criminal laws re- 
lating to computer-related crime through forensic collection, recov- 
ery, processing, preservation, analysis, storage, maintenance, and 
the presentation of digital evidence. 

As more and more people engage in on-line financial activities, 
such as shopping, banking, investing, bill-paying, our residents are 
becoming more vulnerable to sophisticated on-line identity thieves 
who target personal identification information. Identity theft can 
happen off-line too. In Delaware County we have seen low-tech, in- 
experienced criminals successfully open credit cards, and other fi- 
nancial accounts in another’s name by stealing mail, personal 
items from a wallet, or even rummaging through trash for personal 
identification information. 

In closing, no one, no individual, and no institution is immune 
from these type of crimes, and so increasing our awareness of the 
issue is one important function of our Economics Crime Unit. We 
alert the public to steps that must be taken to ensure their com- 
puters are secure, and their personal information is safe by sharing 
information through public service announcement videos, bro- 
chures, along with public presentations and seminars held in part- 
nership with our financial institution, local businesses, and com- 
munity partnerships. Thank you. 

[The prepared statement of Mr. Whelan follows:] 

Prepared Statement of John J. “Jack” Whelan 
April 16, 2014 

Good morning Chairman Meehan and Members of the House committee. I would 
like to thank you for the opportunity to discuss cybersecurity and how we can work 
together to better protect the identities of Delaware County residents. 

As the committee is well aware, identity theft is the Nation’s fastest-growing 
crime. In law enforcement, we define cyber crime as any crime where a computer 
or the internet is used to commit or conceal a crime. 

In Delaware County, our detectives see cyber crime first-hand in cases when iden- 
tity thieves steal personal information and use it to gain access to a victim’s finan- 
cial resources. These thieves may steal mail, hack into computers, or enlist employ- 
ees at companies that have legitimate access to personal information. They also use 
e-mail or telephone scams to commit a crime, which is most often seen in crimes 
committed against Delaware County’s most vulnerable population, our senior citi- 
zens. With relatively little information, even low-tech, inexperienced criminals can 
begin opening accounts in another person’s name and run up substantial charges. 

In one case, we arrested Dorothy J. Miller of Havertown for stealing more than 
$150,000 from her employer, Summers Hardwood Floors, Inc. located in Sharon Hill, 
PA. After assuming the identity of the company owner John Summers, who had 
passed away, Miller opened a credit card in his name and forged numerous checks 
using his and his wife’s signature. Through handwriting analysis, our detectives 
were able to charge Miller with multiple felony counts of theft, forgery, identity 
theft, and conspiracy. 

In Delaware County, we also see criminals using the internet to trick people into 
giving them money or merchandise. These scams run from the small-time bait-and- 
switch schemes as you might see on Craigslist, to sophisticated false websites that 
are set up to look like genuine websites, such as major banks. Computers can also 
be used as instruments of stalking or harassment via e-mail or social networking 
sites. Targeting another vulnerable population, computers are also used in crimes 
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against children where the internet is used to traffic child pornography and by pred- 
ators to entice our children to meet them for sexual purposes. Dramatic increases 
in technology and its availability on the consumer level, coupled with a decline in 
cost, have given those who would exploit children a remarkably effective and far- 
reaching ability with which to do so. 

To combat these crimes, detectives with the Delaware County District Attorney’s 
Criminal Investigation Division (CID) Economic Crime Unit and the office’s forensic 
crime lab investigate financial crimes. The Unit receives complaints from our local 
law enforcement agencies, the private sector as well as the public. Financial crimes 
can refer to any number of nonviolent criminal offenses that involve obtaining finan- 
cial gain through fraud, deceit, misrepresentation, or other forms of deception. Fi- 
nancial crime is constantly evolving with the times, and is hitting new frontiers 
with the age of the internet. 

Identity theft can be committed against a single individual, corporation, or mul- 
tiple victims. It may be even more complex because there can be more than one vic- 
tim. Frequently, the crime may not be discovered until long after it was committed. 
Perpetrators may not live in the same jurisdiction as the victim and may commit 
the crime in several jurisdictions simultaneously, making it difficult for law enforce- 
ment to detect patterns and the actual extent of the crime. For example, identity 
theft could be committed against a Delaware County resident by a perpetrator in 
Florida who has committed the same crime against several other victims across the 
State. Given all of the above, it is clear that identity theft is a crime that presents 
unique challenges to law enforcement to investigate and prosecute. 

The complexities of identity theft cases can slow down or hinder investigations be- 
cause of the lack of resources available to conduct the cross-jurisdictional investiga- 
tion. 

Evidence needed by police to solve a cyber crime is often held by private industry 
outside of police’s jurisdiction. For this reason, strong partnerships are essential to 
making cross-jurisdiction cooperation work. Investigation and prosecution can be 
time-consuming due to the volume of records required to be examined and the time 
required to obtain documents from banks and other financial institutions. The unit 
collaborates with and assists Federal, State, and local law enforcement in enforcing 
Federal, State, and local criminal laws relating to computer-related crime through 
forensic collection, recovery, processing, preservation, analysis, storage, mainte- 
nance, and presentation of digital evidence. 

As more and more people engage in on-line financial activities such as shopping, 
banking, investing, and bill paying, our residents become more vulnerable to sophis- 
ticated on-line identity thieves who target personal identification information. Iden- 
tity theft can happen off-line too. In Delaware County, we have seen low-tech, inex- 
perienced criminals successfully open credit cards and other financial accounts in 
another’s name by stealing mail, personal items such as a wallet, or even rum- 
maging through trash for personal identification information. 

In closing, no one, no individual, and no institution, is immune from these kinds 
of crimes. And so, increasing awareness of the issue is one important function of 
our Economic Crimes Unit. We alert the public to the steps they must take to en- 
sure that their computers are secure and their personal information is safe by shar- 
ing information through PSA videos, brochures, along with public presentations and 
seminars held in partnership with financial institutions, local businesses, and our 
community partnerships. 

Thank you. 

Mr. Meehan. I want to thank the District Attorney. I thank each 
of the witnesses for their testimony. So I now recognize myself for 
5 minutes of questions. 

I am grateful for your oversight, and we are here talking today 
about how law enforcement can work together at the Federal and 
local level as well. I started by saying that we have issues with ter- 
rorism, nation-states who are using the internet as a method for, 
you know, global reach, but our focus here today is on the criminal 
side of this activity, because that is what most directly affects our 
communities, especially communities here, the individual who has 
had their identities taken, the small banker who has to deal with 
the implications of a fraud, like Target. 

So that is where people are beginning, for the first time, to see 
how they are actually affected by the kinds of sophisticated 
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schemes that we see. We have looked at four different kinds of ex- 
amples that have just come to mind, most significantly the Target 
breach, about 110 million identities, 40 million actual identities 
stolen through the point of service that was — well, the service 
mechanisms. The key thing being there that they were able to ac- 
cess this entire system by going through a heating and air condi- 
tioning contract that had access to the major system. Nieman 
Marcus, some 350,000 victims, the University of Maryland, 300,000 
alumni, and students, having significant identification taken. It is 
not just the, you know, the private sector, or large universities, or 
others. The Government itself, the South Carolina Department of 
Revenue, 40 million identities that have been taken. 

Now, I am struck by two things, and I would like to ask you guys 
to talk about this. As I look back, I see, first, particularly with re- 
spect to the Nieman Marcus, some of these viruses, or other kinds 
of malware, had been in the systems for months before detected — 
before activity takes place. In fact, they suggested at Nieman 
Marcus for 8 months it had been in there. In addition, we have 
seen this with Target, that there were numerous times in which 
there were signs, or other kinds of things, in which there could 
have been opportunities to catch some of this activity before it ei- 
ther manifested itself, or at least manifested itself to the degree 
that it did. There is a suggestion that as many as 300,000 pings, 
so to speak, in the Nieman Marcus should have tipped somebody 
off to look better. 

In light of that, what do we need to be doing better to be able 
to identify those kinds of malware and other things that are living 
within systems for long periods of time before they are identified, 
and what do we need to be doing better, along the kill chain or oth- 
erwise, to be taking advantage of the signals that do arise to be 
able to impact these kinds of threats before they reach the scope 
that they are? I conclude by saying I do appreciate that many 
times what we don’t hear about is when you have successfully pre- 
vented some kind of remarkable thing, but I am asking you to give 
me your insights on that particular question. What do we need to 
be doing better, both with the time in there, as well as taking bet- 
ter advantage of the signals that are given? Mr. Baranoff. 

Mr. Baranoff. I will get it started. First I will say that we are 
dealing with a very 

Mr. Meehan. Once again, would you make sure that your micro- 
phone is on? 

Mr. Baranoff. Is that better? 

Mr. Meehan. Yeah. 

Mr. Baranoff. Okay. We are dealing with a very sophisticated 
actor, organized actor. We are able to defeat very sophisticated, or- 
ganized systems. That is why we encourage business to really re- 
verse the model, in terms of where investment is. First and fore- 
most, to response and recovery, as well as a relationship with a law 
enforcement agency with jurisdiction. It is extremely important 
that we are getting a full breadth of the landscape of what is tak- 
ing place. If companies aren’t reporting to us, that limits us as to 
the picture, threat picture. 

Second, the one thing that we have found in almost every 
breach — actually, in every single major breach that we have inves- 
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tigated, there has been pre-attack behavior that has taken place. 
If you are able to identify those pre-attack anomalies, that will also 
help in the success of containing the issue. Then, obviously, contin- 
ued investment and prevention, such as traditional prevention, like 
firewalls, proper segmentation, those help as well. But, again, 
the — probably the most critical element is the first piece, because 
it is not a matter of if, it is a matter of when you will suffer some 
type of breach. 

Mr. Meehan. Yeah, I think you identified that — when we are 
talking about entrance into the systems, it requires, as you said, 
to reverse the process, to go almost down to the front end, to see 
the signals that are coming in, and to have some sort of shared re- 
sponsibility in here. I noted at the outset this came in through a 
contractor, a subcontractor, that had access to a system. 

But are we doing enough to make available to the small 
businessperson, to the local District Attorney’s office, you know, to 
the small financial services organization who holds these, are we 
doing enough to both get them the kind of information that allows 
them to see the signal that is being shared so that they can react 
in time? I mean, one of the criticisms that we are hearing is this 
most recent act, Heartbleed. I am informed that there may have 
been knowledge of that for months before anybody shared that with 
a broader spectrum of people. 

Mr. Baranoff. There are many more — there are many 
vulnerabilities that exist beyond the Heartbleed Secure Socket 
Layer vulnerability. I think that, really, there are two parts here. 
First, the consumer has to take it upon themselves — the end result 
of a lot of these breaches is identity theft, and, unfortunately, the 
consumer needs to take it upon themselves to be viewing their 
credit reports, and to use cyber hygiene, as you mentioned in your 
opening statement. So I think that is of utmost importance. 

Mr. Meehan. Now, Mr. Quinn, you see these from the global per- 
spective. Again, as I said, oftentimes these are going back to East- 
ern European organizations. Certainly that is the suspicion with 
regard to the, you know, the — Target. What is your perspective on 
those questions about how we can 

Mr. Quinn. Well, Chairman, first and foremost, I concur with 
ASAC Baranoff on some of his suggestions. You had alluded to ter- 
rorism before, and I approach things mostly from a terrorism back- 
ground. One of the things — the analogous things that we need to 
do is institute trip wires within the company. There are a couple 
of things that I see from a local level that happened. First and fore- 
most, the consumer, or the potential victims, aren’t necessarily 
educated about what the consequences are for some of these things. 
September 11 is often attributed to a failure of imagination. If I 
look at the cyber threat, and we haven’t had a cyber equivalent of 
9/11, and I hope we don’t, but if I were to look at our 
vulnerabilities, it is a failure of imagination, but it is also a failure 
of appreciation, and perhaps recognition of the consequences. 

I think some of the larger institutions do recognize the dangers 
and the consequences, but what you are talking about is what we 
anecdotally refer to as mom-and-pop operations. So it really breaks 
down at the local level to making sure that you have instituted trip 
wires, which is nothing more than effective outreach to them to 
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educate them not only on the consequences and the threat itself, 
but prophylactic measures that they can take to guard against this. 
So for them, it won’t become a catastrophic event. 

Mr. Meehan. I see. When you use trip wires, now, I mean — but 
clearly we saw a contractor, and by all analysis this contractor 
was — even though there were standards within the industry, they 
may have not been as up-to-date in terms of practicing those stand- 
ards. So that becomes sort of the Trojan horse way into the king- 
dom. But once in there, there were signals that were sent, both 
with respect to trip wires that were set off 

Mr. Quinn. Yes. 

Mr. Meehan [continuing]. At Target that were not followed up 
on appropriately as they set the malware that went through all the 
point -of-service, you know, transactions. Then also, with knowledge 
that they were inside the system, to some extent, the exfiltration 
was a second time in which there were a number of opportunities 
to prevent the scope of information escaping. So where is the re- 
sponsibility, not just on the local level, but are we getting too many 
circumstances in which, you know, people — well, there is another, 
you know, that is just another alarm going off. It almost sounds 
like false alarms, and people are not following up on them. 

Mr. Quinn. It is a fair point. I can’t necessarily speak to the Tar- 
get investigation intimately because I am not involved in that at 
the National level, but what I can tell you is one of the challenges, 
when it comes to dealing with companies, is getting them to take — 
when the trip wires are tripped, to take that seriously. There has 
to be a shared responsibility. We in the Government do have a re- 
sponsibility not only to investigate, but to the extent — try to miti- 
gate ahead of time any of the consequences. 

That said, once we do that, the potential victims share a respon- 
sibility in making sure that their security protocols are not only up- 
to-date, but adhered to. Because, quite frankly, from a risk man- 
agement perspective, if you don’t adhere to your own security pro- 
tocols, or if you don’t even have them in place to begin with, that 
is a liability. You create your own vulnerability. So I don’t want to 
minimize what we in the Government have to do. We definitely 
have to educate the private sector, but we also have to convey the 
message to them to take this seriously, because if you don’t, the 
consequences are catastrophic. The old saying about a stitch in 
time saves nine, it applies 100 percent to cybersecurity. 

Mr. Meehan. My time has expired, and I will have some follow- 
up questions in what will be a second round, but at this point in 
time I want to turn to the Ranking Member for questions that she 
may have. 

Ms. Clarke. Thank you once again, Mr. Chairman, and to our 
expert panelists who have come today. Just wanted to sort-of back- 
pedal just a little to break this thing down as fundamentally as we 
can. Because, again, we are here at the local level, and when you 
look at the case scenario that the Target incident provides for us, 
it is a layered process that got us to that massive breach, and it 
didn’t take all week to accomplish that. 

I think that part of the challenge for a modern-day society is, 
how do we address it categorically? How does everyone see their re- 
sponsibility, their obligations? How do we kind of connect the dots 
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for each individual and/or entity in their particular space to be able 
to recognize what needs to be done to either mitigate a situation 
once it has occurred, or prevent it, ideally, from occurring? 

I think that is part of the challenge for our society right now. 
You know, I — you talked about imagination, Mr. Quinn. The thing 
about technology is you don’t have to have a whole lot of imagina- 
tion. It will help you to facilitate whatever it is that you want to 
do, and people don’t see imagination necessarily juxtaposed with 
intuition, right? So you intuitively — we use technology to a certain 
degree. You know you want to — you start here, and you know you 
want to go there, and you just figure out the tools for doing that. 
But most people don’t go beyond, to use the imagination to say, 
well, what if? Except the bad actors, right? 

So the question becomes, for the innocent one, how do we sound 
the alarm for them? That is part of the challenge in the physical 
world, as well as in the world of technology, and the use of the 
internet. Then we talked about there were trip wires, and there 
were indicators, but, you know, I have been in buildings where you 
will hear the emergency alarm go off, and no one budges. Particu- 
larly people who are used to being in an environment where per- 
haps the emergency alarm goes off, and everyone knows it just goes 
off. However, the practice of actually responding is where the fail- 
ure comes in. 

So the question becomes, from your point of view, how do we de- 
velop, and this is for the entire panel, a clearer understanding of 
exactly what constitutes cyber crime? You know, is there a categor- 
ical difference in what we are dealing with? It is prevalence, the 
levels of harm to consumers and companies, I mean, we have kind 
of got to get into the weeds. Because — think about just the layers 
in the Target scenario alone. That small contractor, who — how 
many people worked for that contractor, and who was the person, 
ultimately, you know, that slipped up, in terms of the cyber hy- 
giene? 

You know, and what are the implications for that? What are the 
implications for the consumer that didn’t respond, though they 
know they shopped at Target, you know, and now, you know, they 
are in financial distress. How do we break this down categorically, 
and how can we better equip policymakers to debate this, the ade- 
quacy of Federal law? I joke about this a lot. I don’t do it to de- 
mean it, but I still have colleagues with flip phones, you know, so 
just dealing with the ideas involved in cyber becomes almost a for- 
eign concept. How do we break it down for people? How do we 
make it real, and how do we strip away these layers and make it 
categorical? That is my question. 

Mr. Baranoff. Should I get it started? 

Ms. Clarke. Yes. 

Mr. Baranoff. Okay. Let me just say this, just in the first quar- 
ter of this year, the Secret Service has responded Nation-wide to 
over 100 data breaches. Most of those companies are small and me- 
dium-sized businesses. They are not the large retailers that you 
hear about in the news. I read a recent statistic that stated that 
the average small to medium-sized business, when they suffer a 
data breach, will lose about $200,000. Eighty percent of those com- 
panies, within 6 months, will go out of business. Well, mitigating 
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that statistic is extremely important to the Secret Service, which 
is why, as we collect cybersecurity information, we push it through 
our Department’s NCCIC to get it out to the greater industry. 

Ms. Clarke. So, I mean, it is one thing being informed, it is one 
thing to find a way to get people to put this — put your rec- 
ommendations into practice. Because, you know, that is a $200,000 
hit, and you are not aware of what to do, or how to prevent it from 
happening in the future, becomes the challenge in the environment 
that we are talking about. 

Mr. Baranoff. Well, I think a lot of that work is done at the 
State and local level, quite frankly, which is why we train State 
and local police officers, prosecutors, and judges at our National 
Cyber Forensic Institute in Hoover, Alabama. A lot of those front- 
line officers, and judges, and prosecutors are handling the mul- 
titude and the lion’s share of this work. That is what I would say 
on that. 

Mr. Quinn. Well, in addition to what Mr. Baranoff had said, I 
think the key is making the consequences viscerally compelling. 
With other crimes, such as terrorism, you know immediately what 
the impact is. Had a Target store been blown up, and it was an 
act of terrorism, immediately people would have acted. It is making 
the abstract, the terabytes, and things of that sort, tangible. 

So the way we approach it, and, again, I am speaking from a 
local level, at the Philadelphia level, is we have two mechanisms 
by which we do this. We have our cyber task forces, which are com- 
prised of agents, analysts, and computer scientists, as well as other 
members of the Federal, State, and local law enforcement commu- 
nity. That in and of itself is an educational process. We take that 
expertise, and we try to leverage it through our Infraguard pro- 
gram. For instance, in Philadelphia we have roughly 1,500 mem- 
bers of Infraguard. In Harrisburg it is about 650. They are the 
gateways to both the significant and the more mom-and-pop oper- 
ations, because the way we are evolving that is we are trying to 
break it down by sector. If we can communicate within the 
Infraguard program to all of the entities that potentially could be 
impacted, we take care of the educational component. 

Now, how you — now, we are always going to be seeking to pre- 
vent, first and foremost. Mitigation is a different story, and that is 
something that we share across the board as a Government, and 
with the private sector. So that is — my answer to your question is 
making the abstract tangible, letting people know where it hurts 
them, potentially. 

Mr. Whelan. From a prosecutor’s standpoint, in the local level, 
unfortunately, we get into situations, and I agree with Mr. Quinn, 
where economic crime, cyber crime, is dealt with on the court level 
more leniently, and I agree that we need to educate our judges as 
to the devastating impact of cyber crime. We typically are dealing 
with some serious violent cases, and judges treat those violent 
cases accordingly. However, in economic crime cases, they may not 
be as aggressively prosecuted or treated only because of the rami- 
fications, compared to the violent crime aspect. So we are encour- 
aging our judges — I have instructed our prosecutors in cases of this 
nature, to make sure that they are aggressively prosecuting, but 
we also deal with sentencing guidelines, which sets a standard 
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range, a mitigated range, and an aggravated range, as to where the 
court should sentence in these type of cases. 

We also — in addition to aggressively prosecuting the crime, we 
deal proactively with many of these situations by engaging in pre- 
vention, by going out to our senior citizen communities, going out 
to our parents, our PTAs, our Rotary clubs, and explaining to them 
how to be proactive in preventing themselves from being victims of 
identity theft, which is very important. 

We periodically go to our business community and have forums 
in the business community. We invite guest speakers, such as our 
FBI — our local FBI office to come in and talk about cyber crime, 
and how they can better protect their business as a result of what 
we are seeing occurring on a National level, as well as a local level. 
So I think we need to continue with both the aggressive prosecu- 
tion, as well as the prevention efforts. 

Mr. Meehan. I thank the — and the Chairman now recognizes the 
gentleman from Bucks County, Mr. Fitzpatrick. 

Mr. Fitzpatrick. I thank the Chairman again, and we really ap- 
preciate the testimony of the law enforcement, and the law enforce- 
ment perspective of the witnesses here today. 

I wanted to follow up on, Agent Baranoff, something you stated, 
that, you know, a great majority of the security breaches, the vic- 
tims are small and medium-sized businesses. We hear in the news 
about the significant security breaches, the retailer — Target organi- 
zation, we have all heard about that. We have come to understand 
from news reports that many times when — could be an educational 
institution, or a retailer, or a merchant, is a victim of a security 
breach, of a cyber attack, that there is a lag time, that there is a 
lapse, if you will, between when that organization becomes the vic- 
tim, when the incident occurs, and when they understood that it 
occurred. 

Many times they are informed of the attack, of the victimization, 
by a third party. You know, could be their bank, credit institution, 
a financial services institution. Many times it is law enforcement 
informing the victim that they are, in fact, a victim. I was won- 
dering if each of you, from your different perspectives, could com- 
ment on why you think there is that lapse. Is it that we are not 
identifying the security breach? What is it that Congress can do to 
help law enforcement, or help, perhaps, these institutions or mer- 
chants to understand quicker? Because it is one thing to become, 
you know, as a small business, to become a victim of a $200,000 
hit, and the victims, you know, Chairman Meehan wanted to bring 
this down to a local perspective, is that small business in our com- 
munity, the customers that rely on that business, the families, you 
know, of the employees who rely on that paycheck, they all become 
victims of that particular attack. 

It is one thing that — to have that attack occur, but then to not 
recognize it, and have it occur perhaps many times, until somebody 
actually informs them. So I was wondering if you could just com- 
ment on why is it the lapse occurs, and what can we do better to 
speed up that realization? 

Mr. Baranoff. Well, some of the lapse may be resulting from in- 
vestment by the companies. The small or medium-sized companies, 
it is very expensive to have the proper cyber mitigation in place. 
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I agree with what you stated earlier, that both the Trustwave and 
Verizon reports that we participate in, the most — they are two of 
the most widely-read data breach reports that exist today, they 
both have found in their studies, along with us, that a majority of 
the notification is made by an outside party, so the victim isn’t 
knowing that they are being victimized as the event is taking 
place. 

I think, again, the notification to law enforcement is paramount. 
We don’t hear from a lot of folks, and I think that, you know, aside 
from the larger retailers, and the larger companies, the smaller 
ones are just as important. Again, it will give us a breadth of what 
is taking place. It also will help us empower the NCCIC, in push- 
ing out its information to the broader industry, to include the fi- 
nancial services information sharing and analysis centers, as well 
as the multi-State ISACS. So I think that notification to law en- 
forcement is extremely important. 

In terms of deterrent, if we were to go down to the road of deter- 
rent, we would certainly support legislation that strengthens 18 
U.S. Code 1030, which is the Computer Data Breach statute, per- 
haps having it as a predicate to a RICO charge, which is a much 
stronger charge. So that type of legislation would be helpful as 
well. 

Mr. Quinn. Thank you, Congressman. I echo my colleague’s 
statements, but I also would point out that the delay sometimes 
could be a result of the companies themselves not being state-of- 
the-art when it comes to training, or even identify vulnerabilities 
or malware that is in their system. But I also think it would be, 
you know, disingenuous of me to say that — or to not acknowledge 
that some companies may be reluctant to notify law enforcement. 
It is that — that is where we kind of have — it is incumbent upon us, 
and the Federal, State, and local systems, to disabuse them of the 
notion that, when we come in, we are going to throw their oper- 
ations into chaos, and that it is going to be a chaotic atmosphere, 
or something that is overly intrusive to them. 

It is cliche to say that the Federal Government is here, we are 
here to help you, but we really do have to market ourselves in that 
respect, is that we are here to help you prevent, we are here to 
help you mitigate. We will maintain as small of a footprint as pos- 
sible, and try to minimize the impact on your operations, and that 
is the investment that will keep you from losing out long-term. 

Mr. Whelan. Certainly, from our perspective, it is devastating to 
our local businesses when this occurs. We do see individuals that 
affects. Recently, over the last year-and-a-half, two of the three de- 
tectives that we have hired were hired as experts in computer 
forensics, and we are now looking at hiring more analysts, lay indi- 
viduals, not sworn officers, that can assist us in dealing with the 
issue of cyber crime, so that when a business reacts, and when an 
individual is affected, we have the necessary tools to go out and ad- 
dress it. So it is becoming very expensive, from our level, to con- 
tinue to fight, but the good news is that we have a great relation- 
ship with the FBI, and — in cases that are cross-jurisdictional, and 
in cases where we just need the assistance of the FBI, where — we 
reach out to our local Newtown Square office, and they have been 
very helpful for us. 



32 


Mr. Fitzpatrick. So what is your experience in Delaware Coun- 
ty? Is it that, in most cases, law enforcement is notifying the vic- 
tim, or the victim is contacting the District Attorney’s office? Now, 
you mentioned in your testimony that many of these cases of iden- 
tity theft and cyber terrorism, it is occurring in not just two juris- 
dictions, but across several jurisdictions, so you are dealing with 
many, many different law enforcement agencies. Does that add to 
the lag time and notification? 

Mr. Whelan. Absolutely, and that poses problems from an inves- 
tigation, as well as a prosecutorial standpoint, so that does become 
a factor. For the most part, we are being notified, and hopefully as 
early as possible. Then we send our team of forensic experts in to 
look at the situation, make a determination as to where it origi- 
nates, how it is affecting the company or the individual, and then 
act accordingly whether we are going to ask for additional help ei- 
ther on the State or Federal level, or can we locally handle it, pros- 
ecute it, investigate it to our fullest extent? 

Mr. Fitzpatrick. I appreciate what you are doing. Thank you. 

Mr. Meehan. I thank the gentleman from Bucks County. I have 
some follow-up — a follow-up question related to the discussion that 
we just had. That is a staggering statistic there that was just men- 
tioned, that there is — $200,000 is a loss, and that oftentimes we see 
within months that company goes out of business. To me, that real- 
ly recognizes the impact of this on a local level. We are talking 
about the social costs of cyber crime. We often discuss on the macro 
level, you never know when you didn’t get the project because 
somebody stole your bid information before it was placed. The 
cyber espionage can be real, but this statistic where, you know, we 
have a local company, and the margins are so thin. So in addition 
to the financial crime, we are losing jobs associated with this. This 
is having a real impact. 

I met yesterday with a local 501(c)(3) organization, you know, a 
non-profit entity, with a staggering $650,000 hit that came through 
a network in which their network was compromised without their 
knowledge. Now, insurance is going to carry about a third of that, 
and they may be able to litigate, but it is going to take them years 
to get a resolution. Meanwhile, they are on the hook for $400,000, 
and this is a non-profit entity. So how do we deal with financial 
institutions, small businesses? Where is this sweet spot? Because 
we are asking them to engage more in their home cyber protection, 
but how do they know what is the right amount? Because you 
could — it could be an endless process of trying to protect the for- 
tress, so to speak. 

So in line with this dynamic process, in which we pick up infor- 
mation at different points in time, how are we getting to the people 
that we know are impacted, because we know there is information 
from their systems, and giving them real-time information that al- 
lows them to catch up with everybody else in a timely fashion be- 
fore they find themselves victimized? 

Mr. Baranoff. Well, the sharing of that cybersecurity informa- 
tion is probably one of the most paramount preventative methods 
that you can have. That is why we encourage folks to join our elec- 
tronic crimes task forces, to attend our meetings. We push out cy- 
bersecurity information through our electronic crimes task forces 
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just as quickly as we do through the FSISAC, through the Depart- 
ments, NCCIC, and so on. 

Mr. Meehan. So is the key, I mean, to work through — again, be- 
cause, while you may have a local — I keep going back to banks. 
You know, you may have a local bank that is sizeable that, on a 
monthly basis, attends your meetings there, or Infraguard, but, you 
know, you have small community-based organizations that may 
have four or five branches, and how do they find the time to take 
somebody out once a month to, you know, spend the better part of 
a day getting that? Where — how do we get down — through what 
mechanisms do we get down to the local level to get to the people 
who need the information? 

Mr. Baranoff. Well, in terms of our task forces, they are region- 
ally-based, so the issues that are affecting the Southwest are dif- 
ferent than the issues affecting the Northeast. Those particular 
issues, related to the region that they are in, are addressed by that 
particular task force. So whether it is cybersecurity information re- 
lated to the banking industry, or cybersecurity information related 
to the oil and gas industry, that information is shared in real time 
with those particular partnerships. 

Mr. Meehan. Do we reach out to people, or do we compile lists 
so that we know somebody has likely had their system impacted, 
and do we go out, even if they are not part of an association, or 
part of an ISAC, or part of even a Chamber of Commerce or some- 
thing? Do we go — get down to trying to let victims know that they 
have been victimized? 

Mr. Baranoff. We absolutely do, and one thing that we take 
pride in at the Secret Service is that when we call you, we have 
information that is actionable. We have information, you know, we 
know where the needle is, and what haystack to look under. That 
is based on the proactive nature of our investigations. We are will- 
ing to burn a source, for example, to maintain the resiliency of an 
organization. Prosecution for us, quite frankly, is secondary. So we 
do get out to the industry, and we do provide that information in 
real time to save that company. I can tell you last year alone we 
saved several small or medium-sized banks from going under be- 
cause of the information that we provided. 

Mr. Meehan. Special Agent Quinn, do you have some thoughts 
on that? 

Mr. Quinn. I concur wholeheartedly. I mean, our mechanism is 
a little bit different, but it is the same principle. We utilize the 
Cyber Task Force and the Infraguard chapters that are within, 
and, quite frankly, we outsource messaging to them. We identify 
sector chiefs — we’re in the process of identifying sector chiefs be- 
cause what can happen is, and it is alluded to already, a lot of 
these small to medium-sized businesses may not ever know. If we 
get a tip, it is incumbent upon us to get out there to notify them 
to — important to mitigate, but also prepare them, to prevent some- 
thing like that from happening again. Also share it among — across 
sectors in the event that it might be a continuing threat against 
other sectors. 

Mr. Meehan. DA, do you — how do you perceive information 
being taken down to your level, with your colleagues in law en- 
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forcement, or the entities that come to you with concerns or com- 
plaints? 

Mr. Whelan. Well, certainly we have come across situations 
where individuals will approach us and ask us as to how they can 
be better protected, and what issues can they take? We certainly 
refer them to the resources that are available for that particular 
information, whether it be through the State level, or through the 
Bureau level, with the FBI and the Secret Service. 

However, many times what we are dealing with is going out into 
the community through our white collar crime unit. In addition to 
investigating the crime, we will go out there and meet with various 
business entities. We will also meet with various individuals that 
may be vulnerable to crime, and address some of the concerns that 
they have, and they will relate information to them. So, from that 
perspective, we are proactive, but, for the most part, unfortunately, 
from our perspective in the prosecutor’s office, we are reacting 
when a person already becomes a victim to a crime. But we have 
developed over the years many proactive programs. 

Mr. Meehan. Thank you. I turn to the gentlelady from New 
York. 

Ms. Clarke. I thank you, Mr. Chairman, and, you know, we 
know that private-sector companies, individuals, and law enforce- 
ment efforts are complicated by the borderless nature of cyber 
crime. It is like — it is insidious when there is the ability to be able 
to tamper with the systems that exist, that are all connected to the 
internet. It is almost like quicksilver, because we all know that 
cyber criminals are not hampered by physical proximity. There can 
be regional, national, international borders involved. We know that 
they can be physically located in one nation or state, and direct 
their crime through computers in multiple nations or states, and 
store evidence of crime on computers in yet another nation or state. 

So my question to you is a couple of things. No. 1: Does this beg 
for us to develop a new level of law enforcement and jurisprudence 
to address just the nature of how this operates? Is there a par- 
ticular stratification that needs to develop to — so that, you know, 
it doesn’t take the DA, you know, 2 weeks before he is able to begin 
an investigation, trying to capture forensic evidence that may be in 
his jurisdiction, but could easily be shifted? I want us to think 
about that picture, because I have a hard time viewing what we 
are dealing with right now as a society under the current bound- 
aries of the laws that exist. 

I mean, crime is crime, yes, but the nature of this one, the ability 
to do things so quickly, is not something that we are all accus- 
tomed to. I want to raise that with you and get your 

Mr. Baranoff. I would agree. The international component is es- 
sential. The vast majority of our greatest threat actors in cyber are 
located overseas. The most sophisticated actors are overseas, at- 
tacking our infrastructure. Fortunately, the Secret Service has an 
outstanding relationship with some of the best cyber units located 
abroad, to include the Dutch National High Tech Crime Unit, the 
German BK, and the like. We rely on them to work with us to both 
capture these individuals, as well as collect evidence. A lot of the 
evidence ends up in overseas countries. So that international com- 
ponent is essential, and we need to continue to grow and expand 
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that international presence to bring these cases to a good conclu- 
sion. 

Mr. Quinn. Ranking Member, law will always lag behind tech- 
nology. We see it across all programs, all investigative programs. 
I see it most significantly on the National security side, when it 
comes to new techniques, and how to accommodate — things of that 
sort. But like Mr. Baranoff had said, what we do — and because of 
that, it is — it is paramount that the relationships that you have 
overseas, both through — within the FBI, our FBI legal attache net- 
work — we have roughly 64 legal attaches across the world, with 
200 sub-offices. 

They are crucial, because it is their relationships with their for- 
eign government counterparts that enable us to dual — accomplish 
the dual objectives of attribution, which is important, but when you 
think about it, what is the value of attribution if you can’t do any- 
thing against them? We rely heavily upon our foreign service part- 
ners to execute some type of law enforcement action against them. 
So until the law captures or catches up to that, we have to rely 
upon the personal relationships. 

Mr. Whelan. Once our cyber detectives make a determination 
that a crime is committed, what they will do first is try to preserve 
that evidence, collect it, investigate it, preserve it. Once we recog- 
nize that it has crossed jurisdictional lines, we will contact the FBI, 
give them the information that we have, and cooperate with the 
FBI with everything we can do from the local level, and work with 
them as a — on the National issues, based on the evidence we have 
already presented to them. 

Ms. Clarke. So I guess I am hearing from everyone that our cur- 
rent laws are sufficient for us to be able to do what we need to do 
in order to protect our citizenry, and address actors that may be 
seeking to do us harm, that we are in a place where we are not 
yet ready to approach these concerns in a way in which — the one 
thing about laws is they serve a lot of purposes. One, it is to help 
redress the harm that may have been done to someone, but often- 
times people see them as a deterrent to types of behaviors that, if 
you know what the consequences are, you know, because it is in 
statute or law, you are going to think twice, or you are going to 
understand what the implications are. 

My concern is that I don’t know that people actually understand 
the implications of a lot of what is taking place on the internet, in 
terms of law, and I don’t know where we are going to catch up with 
it. In the interim, there are just some legal breaches that are hap- 
pening along the way to individuals that are just using this tech- 
nology, some meaning to do harm, others sort of stuck in the gray 
area, some kids, you know, that get on the internet and act stupid. 
How do we approach this now, if what we are saying is, “Well, the 
laws are always going to lag behind the technology”? Any ideas? 

Mr. Quinn. Well, I can venture just — you — because that is — I am 
the one that said that the laws will always lag behind technology. 
Keep in mind that the value of a law is only as good as your ability 
to enforce it. So I think that it is going to be a whole Government 
approach. Our ability to enforce either our own laws, or perhaps le- 
verage the laws of, for instance, a foreign country, where an actor 
is committing these type of cyber crimes, there may be a political 
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and a — there may need to be political and diplomatic leveraging 
mechanisms, and so I don’t want to create the impression that reli- 
ance upon the law is going to be an end-all, be-all to that. 

Mr. Meehan. I thank the gentlelady. Before I let you go, let me 
just ask one other question as we are going through this, because 
we are talking about systems that are, you know, the systems 
aren’t static, and how are we dealing with the changing tech- 
nology? I mean now, rather than — protecting something used to be 
the computer system within a business. You know, we are seeing 
cell phones, we are seeing GPS, we are seeing skimmers that can 
be used, or iPads. I mean, people now have in their hand the full 
computing power they used to have in the heart of a business. It 
seems like it is getting tougher. 

Mr. Baranoff. I would say that, you know, when I first started 
in cyber about 7 years ago, the technology changed probably every 
18 months. Today I would say it is a third of that, probably every 
6 months. It is challenging for us, in that environment, to stay up 
with technology, certainly with the training that is needed to inves- 
tigate a lot of these crimes. 

Mr. Quinn. For us, you are absolutely right, it is probably one 
of the bigger challenges that we face. What we have to do in order 
to stay on the cutting edge is recruit computer scientists to come 
in, and that in and of itself can be a challenge, because they have 
opportunities that are unique, and, quite frankly, more lucrative 
out in the private sector. But in addition to training our own work- 
force, and taking responsibility for it within, we have to bring oth- 
ers in who have the expertise, and at the same time leverage part- 
ners in the private sector who can help us do the same things. 

Mr. Whelan. We are constantly updating, and having our detec- 
tives, our computer forensic detectives, in new trainings, new 
courses, new certifications. It seems like every couple months the 
detectives are away from the investigation, or at schools, to update 
themselves on the new technology. Now we are looking at hiring 
new analysts, and looking at new technology to bring them in so 
that they are coming in at a level with the current technology, as 
opposed to someone that has been out there that may not have 
been updated. So it is a constant battle, and it is a constant ex- 
pense for us. 

Mr. Meehan. Well, I thank the entire panel for your presence 
here today, but not just your testimony, but for your good work in 
these areas. As I said at the outset, we don’t hear about the crimes 
that aren’t committed, and so there are some remarkable things 
that are being done. I — the takeaway I get from this is the respon- 
sibility that we have to encourage businesses that aren’t coming 
forward, those who are part of your Infraguard, to report in, those 
that are part of your Electronic Crimes Task Force. The — people 
that are coming in to your, you know, they may be dealing with 
you in the form of reporting something that is a local crime, but 
not taking the time to make sure that they share that with a — with 
the National matrix, because you never know where the weakest 
link is, and where something is coming in. 

So thank you for the good work that you are doing, and I am par- 
ticularly appreciative of your being here today. We will take a mo- 
ment for the second panel to organize itself. 
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Let me thank our second panel for your patience in being with 
us today, and again for your testimony, or your prepared testi- 
mony. I am very grateful. You tell, and are an important voice in 
this dynamic. While we have spoken to law enforcement about the 
procedures, you are the ones on the front lines, in terms of dealing 
with the implications of this, or looking at the issues with respect 
to the totality, but particularly as it affects the victims that ulti- 
mately work through some of the entities in commerce. 

So we have — we are pleased to be joined by three more panelists 
to conclude our hearing. The first is Mr. Ted Peters. He is the 
chairman and CEO of Bryn Mawr Trust. That is a company that 
provides personal and business banking throughout the State of 
Pennsylvania. Mr. Peters has more than 30 years’ experience in the 
banking industry, including many successful entrepreneurial en- 
deavors. He has been at the helm of Bryn Mawr Trust since 2001, 
and certainly has seen the growth in this area. In addition, Mr. 
Peters was elected to serve a 3-year term on the Federal Reserve 
Board, Bank of Philadelphia Board of Directors. 

Joining Mr. Peters is Mr. Tom Litchford. He is the vice president 
of retail technologies at the National Retail Federation, and the 
National Retail Federation is the world’s largest retail trade asso- 
ciation, representing all varieties of retail stores across more than 
45 countries, and including the Targets of the world. As vice presi- 
dent, he leads and manages the NRF’s IT leadership community, 
including its Chief Information Officer Council. He also oversees 
the Federation’s Association for Retail Technology Standards as its 
executive director, where he develops and enhances domestic and 
international relationships between retail and technology compa- 
nies. Mr. Litchford, thank you for being with us. 

Last, we are joined by Matthew Rhoades, who is the Director of 
Cyberspace and Security Programs with the Truman National Se- 
curity Project, and the Center for National Policy. In this role, he 
leads the program’s Steering Committee, and directs the organiza- 
tion’s cybersecurity policy initiatives. Previously he served as the 
director of legislative affairs at the Truman National Security 
Project, and in that capacity he ran the Congressional Security 
Scholars Program, and was the principal author of the Truman Se- 
curity Briefing Book. I know you enjoy an overall perspective on 
this, and we are looking forward to your thoughts. 

So I thank you all for being here. Your written statements will 
appear in the record, so I look forward to your verbal testimony. 
Mr. Peters, the Chairman now recognizes you for your opening 
statement. 

STATEMENT OF FREDERICK “TED” PETERS, CHAIRMAN AND 
CEO, BRYN MAWR TRUST 

Mr. Peters. Yes. Chairman Meehan, Chairperson, or Chair- 
woman Clarke, and — excuse me, Chair — Congress — Congress- 
woman Clarke, and Congressman Fitzpatrick, thank you for having 
me as a witness in this area of critical importance to our country. 
As a banker for almost 40 years, I will try to focus my comments 
and testimony on issues relating to the financial services industry 
and its clients. Some quick background on Bryn Mawr Trust, 
where we recently celebrated our 125th anniversary as a Philadel- 
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phia area institution, we are a $9.5 billion organization, with over 
$2 million of banking assets, and $7!/2 million — excuse me, $7 V -2 
billion of trust and investment assets, and we serve primarily indi- 
viduals and closely-held businesses which operate in this region. 

All banks and financial institutions are extremely alarmed at the 
actual potential threats of cyber crime. At our bank we have de- 
voted extraordinary amounts of time, man- and women-power, and 
money to protect our bank, all of our clients, from this growing 
problem. In fact, it is approximately $1 million a year we spend on 
this. 

In the United States and world-wide, cyber crime and cyber 
threats are multiplying at an alarming rate. These threats come in 
the form of hacking, phishing, its more sophisticated derivative 
spear phishing, malware intrusion, and the well-publicized DDOS, 
or Distributed Denial of Service, attacks, which have been per- 
petrated on many larger U.S. financial institutions. 

Who are the bad guys? They are no longer precocious teenagers 
operating at 3:00 in the morning in their parents’ rec rooms. To- 
day’s perpetrators are high-level professionals who fall into a num- 
ber of categories. Organized crime rings are responsible for over 
half of all attacks. These are well-organized groups which occupy 
in a structured and efficient manner, with profit and loss state- 
ments much like legitimate businesses. Their sophistication is ex- 
tremely high, and improving almost daily. 

Next are the State-supported enterprises, which comprise about 
a quarter of all attacks. These enterprises have different motives 
than organized crimes — crime, and are usually looking for intel- 
ligence information that would give a nation-state some political or 
military advantage. Primary offenders here are China, and the 
former satellite countries of the Soviet Union. 

A third group would be the hacktivists, and you have probably 
heard of some of these groups, such as Anonymous, or the Tunisian 
Hackers Team, and these organizations are usually not seeking fi- 
nancial gain, but are more interested in making headlines. Al- 
though hacktivists only account for a small percentage of attacks, 
they have very — been very successful in creating a series of high- 
profile DDOS attacks against financial institutions in the United 
States. 

Last, current and former employees and vendors also provide a 
serious threat. I think we have all heard of a gentleman named Ed- 
ward Snowden. 

One of the biggest threats to banks around the country are cor- 
porate and individual account takeovers, initiated by malware 
being secretly installed on a business or person’s computer. Again, 
you will recognize some of the names of his malware, Citadel, Tro- 
jan, Zeus. Once inside, the perpetrator will then move money 
around, and eventually try to clean out the accounts. 

Point-of-sale payment systems are another favorite target of 
malware criminals. Once the malware is secretly installed on a 
merchant’s computer, the malware allows cyber criminals to access 
all the unencrypted credit card and debit card information, and at 
times the encrypted data as well. 

What is the solution? Unfortunately, there is no 100 percent so- 
lution. The cyber criminals who are out there always try to stay 
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one head — one step ahead of the financial services industry. The 
following, however, are considered best practices to reduce the pos- 
sibility of any attack being successful. First, businesses, and indi- 
viduals, and financial institutions, need to use a multi-layered ap- 
proach. This means a combination of many risk-based, predictive, 
and behavioral technologies which are out there. Companies, and 
consumers, and financial institutions who provide a hardened tar- 
get will find the cyber criminal moving on to new and an easier vic- 
tim. Next, financial institutions must build a strong feedback loop 
so that any intrusion can be identified, and defended accordingly. 
Last, we must continue to perform on-going assessments of risk, 
and improving our defenses. 

With that, Mr. Chairman, my testimony is concluded. 

[The prepared statement of Mr. Peters follows:] 

Prepared Statement of Frederick (Ted) Peters 
April 16, 2014 

Thank you for having me as a witness in this area of critical importance to our 
country. As a banker for almost 40 years, I will try to focus my comments and testi- 
mony on issues relating to the financial services industry and its clients. 

Some quick background information on the Bryn Mawr Trust Company, where I 
currently serve as chairman and CEO. At Bryn Mawr Trust we recently celebrated 
our 125th anniversary as a Philadelphia area financial institution. We are a $9.5 
billion organization, with over $2 billion of banking assets and $7.5 billion of trust 
and investment assets under management or administration in the States of Penn- 
sylvania and Delaware. We serve primarily individuals and closely-held businesses 
which operate in this region. Not only have we survived numerous wars, recessions, 
and depressions, but have thrived and are one of the highest-performing banks in 
the Nation. 

All banks and financial institutions are extremely alarmed at the actual and po- 
tential threats of cyber crime. At our bank we have devoted extraordinary amounts 
of time, man-, and woman-power, and money to protect our bank and all of our cli- 
ents from this growing problem. 

In the United States and world-wide, cyber crime and cyber threats are multi- 
plying at an alarming rate. These threats come in the form of hacking, phishing, 
its more sophisticated derivative spear-fishing, malware intrusion, and the well-pub- 
licized DDoS or “Distributed Denial of Service” attacks on larger U.S. financial insti- 
tutions. 

Who are the “bad guys”? 

They are no longer precocious teenagers operating at 3 in the morning in their 
parents’ rec rooms. Today’s perpetrators are high-level professionals and fall into a 
number of categories. 

Organized crimes-rings are responsible for over half of all attacks. These are well- 
organized groups which operate in a structured and efficient manner with profit- 
and-loss statements much like a legitimate business. Their sophistication is ex- 
tremely high and improving almost daily. 

Next are state-supported enterprises which comprise about a quarter of all at- 
tacks. These enterprises have different motives than organized crime and are usu- 
ally looking for intelligence information that would give a nation-state some political 
or military advantage. Primary offenders here are China and former satellite coun- 
tries of the Soviet Union such as Bulgaria, Romania, and the Ukraine. 

A third group would be the “hacktivists” and you have probably heard of some 
of these groups such as “Anonymous” or the “Tunsian Hackers Team”. These organi- 
zations are usually not seeking financial gain, but are more interested in making 
headlines. Although “hacktivists” only account for a small percent of attacks, they 
have been very successful in creating a series of high-profile DDoS against financial 
institutions in the United States. 

And lastly, current and former employees and vendors also provide a serious 
threat. I think we have all heard of a gentleman named Edward Snowden. 

One of the biggest threats to banks around the country are “corporate and indi- 
vidual account takeovers” initiated by malware being secretly installed on a busi- 
ness or person’s computer. Again you will recognize some of the names of this 
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malware — Citadel, Trojan, and Zeus. Once inside, the perpetrator will then move 
money around and eventually try to clean out the accounts. 

“Point of Sale” payment systems are another target of malware criminals. Once 
the malware is secretly installed on a merchant’s computer, the malware allows 
cyber criminals to access all of the unencrypted credit card and debit card informa- 
tion, and at times the encrypted data as well. 

What is the solution? Unfortunately there is no 100% solution. The cyber crimi- 
nals are out there always trying to stay one step ahead of the “good guys”. The fol- 
lowing, however, are considered “best practices;” to reduce the possibility of any at- 
tack being successful. 

First, businesses and individuals need to use a multi-layered approach. This 
means a combination of many risk-based, predictive, and behavioral technologies 
which are out there. Companies and consumers who provide a “hardened target” 
will find the cyber criminal moving on to a new and easier possible victim. 

Next, build a strong “feedback loop” so that any intrusion can be identified and 
defended accordingly. 

And lastly, continue to perform on-going assessments of risk and improving one’s 
defenses. 

With that, Mr Chairman, my testimony is concluded. 

Mr. Meehan. I thank you, Mr. Peters. 

The Chairman now recognizes Mr. Litchford. 

STATEMENT OF THOMAS LITCHFORD, VICE PRESIDENT OF 
RETAIL TECHNOLOGY, NATIONAL RETAIL FEDERATION 

Mr. Litchford. Thank you, Chairman Meehan, Ranking Mem- 
ber Clarke, and Representative Fitzpatrick. Thank you for giving 
me this opportunity to provide you with my thoughts on safe- 
guarding consumer information from cyber attacks. Again, my 
name is Tom Litchford, and I am vice president for retail tech- 
nologies at the NRF. In that role, I manage the CIO Council, the 
IT Security Council, and the Association for Retail Technology 
Standards, and we serve over 12,000 members around the world in 
the retail industry. 

Regarding the recent cyber attacks, I would first like to comment 
on the often-forgotten fact that these breaches are perpetrated by 
criminals, and often they are very sophisticated criminals that are 
breaking the law. The targeted retailers are victims in these situa- 
tions, and these victims care deeply about maintaining the con- 
fidentiality of their customer information, because if they lose that 
data, they lose their customers’ trust, and ultimately they lose 
business. 

The retail industry makes significant investments every year in 
order to protect confidential customer information. Collectively, re- 
tailers spend billions of dollars annually to safeguard data and 
fight fraud. But the NRF also understands that preventing cyber 
crime is a complex endeavor, that no single solution or silver bullet 
exists. Breaches still occur, and not just in the retail industry. In- 
deed, in 2013 more breaches happened at financial institutions 
than at retails stores and websites, and no industry is immune 
from this. 

Regarding the problem here, in retail breaches, the criminal 
hackers want to steal consumers’ payment card data, which they 
can easily then monetize by fencing the stolen numbers on black 
market websites. U.S. retailers are targeted because we not only 
see the greatest number of cardholders, but our merchants have to 
accept 50-year-old, fraud-prone payment card technology. In the 
United States, a signature, and a magnetic stripe with unencrypted 



41 


card numbers are all that is needed to authenticate a customer and 
receive payment authorization. NRF supports an immediate move 
to replace the virtually worthless signature authentication with 
much more secure personal identification numbers, or PINs, as is 
used most everywhere else in the world. If marginally more secu- 
rity is needed, then a computer chip technology could be added to 
cards and card readers, but with significant to cost to our — all par- 
ticipants in the payments systems. 

It is important to point out that our members’, or our retailers’, 
support for PIN and chip technology does not mean that we should 
be forced to adopt what is called EMV technology. EMV is a propri- 
etary chip technology controlled by the major card brands. Indeed, 
EMV stands for Europay MasterCard and Visa. Worse, in the U.S. 
market, the EMV standard does not require a use of a PIN. The 
card companies require PINs in Canada, the United Kingdom, Eu- 
rope, and other countries, but seek to do chips without PINs in the 
United States. While EMV chip without PIN certainly protects the 
banks, the card companies’ current proposal to continue with signa- 
tures in the United States leaves the fraud door open. 

Before the retail industry is expected to spend an estimated $30 
billion for stores to upgrade their readers to accept partially-pro- 
tected EMV cards, the NRF has urged the card networks to incor- 
porate PINs now that focus on addressing security now so that re- 
tailers are protected, and then focus on addressing security across 
the entire payment ecosystem, meaning not only stores, but on-line 
and mobile. 

In addition to addressing the problems with the current payment 
systems, a critical step forward is the need to foster greater col- 
laboration. With that, the NRF believes that a heightened and 
well-coordinated information-sharing platform, such as a retail 
ISAC, is a vital component for helping retailers in their fight 
against cyber attacks. NRF is moving forward with the creation of 
such a program, that will provide retailers access to information on 
cybersecurity threats identified by retailers, Government, and law 
enforcement agencies, and partners in the financial services sector. 
The program, developed in consultation with the Financial Services 
Information Sharing and Analysis Center, the FSISAC, will launch 
with the establishment of an information-sharing platform for re- 
tail industry information security specialists, and plans call for a 
retail ISAC to be established this summer. 

Recently representatives from the NRF held in-depth discussions 
with the United States Secret Service, and with the NCCIC, the 
National Cybersecurity and Communications Integration Center, 
and the U.S. CERC, the Computer Emergency Readiness Center, 
with the idea to get insight and guidance on how to improve com- 
munication, identify available resources, and collaborate more ef- 
fectively to help retailers combat criminal cyber activity. NRF and 
its membership recognize that full robust information sharing is 
sometimes hampered by restrictions — legal restrictions. Accord- 
ingly, we support passage of H.R. 624, the Cyber Intelligence Shar- 
ing and Protection Act. 

In conclusion, by creating a robust information-sharing platform 
through which retailers can better prepare themselves to defend 
against cyber crime, NRF is actively engaged in protecting con- 
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sumer data. In supporting improved payment card technology, we 
seek to move the industry beyond the 50-year-old technology that 
makes the U.S. retail industry a prime target for these breaches. 
With efforts — with these efforts, as well as Congress’s continued ac- 
tions to encourage information sharing, we believe we can make 
the payment system more secure for everyone involved. 

With that, thank you, and I will be happy to answer any of your 
questions. 

[The prepared statement of Mr. Litchford follows:] 

Prepared Statement of Thomas Litchford 
April 16, 2014 

Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee, 
thank you for giving me this opportunity to provide you with my thoughts on safe- 
guarding consumer information from cyber attacks. My name is Tom Litchford, and 
I am vice president of Retail Technologies at the National Retail Federation (NRF). 
In my role at the NRF, I manage the CIO Council, the IT Security Council, and 
the Association for Retail Technology Standards. 

NRF is the world’s largest retail trade association, representing discount and de- 
partment stores, home goods and specialty stores, Main Street merchants, grocers, 
wholesalers, chain restaurants and internet retailers from the United States and 
more than 45 countries. Retail is the Nation’s largest private-sector employer, sup- 
porting 1 in 4 U.S. jobs — 42 million working Americans. Contributing $2.5 trillion 
to annual GDP, retail is a daily barometer for the Nation’s economy. 

With respect to consumer data breaches I’d first like to comment on an often for- 
gotten fact — that these incidents have been perpetrated by criminals — and often 
very sophisticated criminals — that are breaking the law. The targeted retailers are 
victims in these situations — victims that care very deeply about maintaining the 
confidentiality of their customer information because if they lose that data, they lose 
their customers’ trust, and they lose business. 

Accordingly, retailers make significant investments every year in order to protect 
this data. Collectively, retailers spend billions of dollars annually to safeguard data 
and fight fraud, as well as hundreds of millions annually on PCI compliance. And 
yet, breaches still occur. And not just in the retail industry. You may be surprised 
to learn that in 2013 more breaches happened at financial institutions than at retail 
stores and websites. Manufacturing, transportation, and utility companies, and even 
professional services firms were targeted. No industry is immune. 

In retail breaches, the bad actors are primarily after payment data — i.e., credit 
or debit card numbers — and they particularly like to target U.S. cards. Why? Be- 
cause of the volume of credit and debit card numbers, and the fact that merchants 
must accept from customers 50-year-old payment card technology — a magnetic 
stripe and a signature are all that is needed to “authenticate” the customer and re- 
ceive payment authorization. The bottom line is that signature and mag-stripe 
based cards are inherently fraud-prone products. Unfortunately, retailers and our 
customers are largely at the mercy of the dominant credit card companies when it 
comes to reducing card fraud. 

So, how can we move forward? What types of solutions would reduce or eliminate 
the crimes of data theft and fraud? 

THE WAY FORWARD TO PROTECT THE RETAIL INDUSTRY 

One solution would be to replace signature authentication with an encrypted Per- 
sonal Identification Number (PIN). This would greatly reduce the utility of counter- 
feited cards and go a long way toward reducing fraud. 

Another solution that is currently receiving some attention would be to add a com- 
puter chip to the PIN and transition to the more secure “Chip and PIN” payment 
card technology. This technology employs a small computer chip to validate the card 
to the bank (i.e., confirm that it is not a counterfeit) at the Point-of-Sale (POS) ter- 
minal, in addition to requiring the cardholder to enter a PIN to prove he is the per- 
son authorized to use the bank-issued card. Chip and PIN technology dramatically 
reduces the value of any stolen “breached” data for in-store purchases because the 
payment card data is essentially rendered worthless to criminals. In addition, the 
PIN helps ensure that a customer and a merchant won’t be defrauded even if some- 
one steals the customer’s card. This combination serves as a deterrent to breaches. 
The failure of U.S. card networks and banks to adopt such a system in the United 
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States is one reason why cyber attacks on brick-and-mortar retailers have increased 
domestically even as they have dropped overseas where the majority of the countries 
have adopted Chip and PIN payment cards. 

Despite the technology’s potential benefits, the Chip and PIN technology that is 
currently widely deployed in Europe and other developed countries, sometimes 
called “EMV technology,” would not provide the same level of protection in the 
United States because, as mandated by the card brands for the U.S. market, it does 
not require the use of a PIN. EMV — an acronym for Europay, Mastercard and 
Visa — is a proprietary technology controlled by the major card brands. Further, 
EMV, while not necessarily violating the Durbin Amendment, currently violates the 
spirit of that amendment by potentially stifling the competition in the debit routing 
market. 

No technology (and especially not EMV), is a panacea, and there is no “silver bul- 
let” to preventing cyber crime. EMV, in particular, would take years to realize the 
benefit in fraud reduction. As a result, our members are exploring other means of 
securing data, such as encryption and tokenization. Equally important, in addition 
to technological changes, our members are developing measures, such as estab- 
lishing information-sharing mechanisms, to address the advanced threats of the 
evolving cybercrime landscape. 

THE VALUE OF INFORMATION SHARING 

One critical aspect of next generation information security is the ability to share 
and receive actionable threat intelligence in a timely manner. Information sharing 
allows companies to better detect and defend against sophisticated cyber attacks 
and data security breaches. By working together and with Government to dissemi- 
nate and receive cyber threat information, companies can learn where to look for 
signs of an attack and how to alter their security systems to “plug holes” and block 
attempted intrusions carried out using techniques that were effective in earlier at- 
tacks. 

Importantly, third parties often possess information that can help us mitigate the 
risks of an attack. As the United States Secret Service (USSS) recently acknowl- 
edged in testimony before the Senate, “one of the most poorly understood facts re- 
garding data breaches is that it is rarely the victim company that first discovers 
the criminal’s unauthorized access to their network; rather it is law enforcement, 
financial institutions, or other third parties that identify and notify the likely victim 
company of the data breach by identifying the common point of origin of the sen- 
sitive data being trafficked in cybercrime marketplaces.” 1 Victims of cyber crime can 
then begin to extricate fraudsters from their system and prevent further data loss 
when they know that an attack has taken place. Creating structures where informa- 
tion regarding critical threats — and certainly actual breaches — is shared swiftly can 
be critical in preventing and minimizing losses from data breaches. 

The retail industry is in a particularly good position to both benefit from and 
bring value to information sharing with outside organizations and entities. Indeed, 
the history of data breaches affecting the retail industry indicates a pattern of in- 
creasingly sophisticated cyber attacks using similar tactics, techniques, and proto- 
cols (TTPs). During the recent spate of data breaches targeting the retail industry, 
the sector learned the value of such information sharing by receiving various reports 
and alerts from the USSS and FBI, as well as other Federal agencies (e.g., US- 
CERT and NCCIC) that highlighted cutting-edge TTPs. The retail industry also re- 
ceived valuable information from security research companies; for example, the 
iSightPartners report, which was disseminated through the National Cybersecurity 
and Communications Integration Center (NCCIC) in the wake of the Target breach, 
was of such particular value that NRF subsequently held a webinar for its member- 
ship where an iSightPartners’ representative presented on the report’s findings. In 
addition, in January 2014, the FBI shared a confidential report with the retail in- 
dustry titled “Recent Cyber Intrusion Events Directed Toward Retail Firms” that 
was designed to warn the industry regarding “memory-parsing” malware that can 
infect POS systems. While the warnings in the report — and the findings of the 
iSightReport — were useful to the retail sector, NRF realized that its members would 
have derived significant additional benefits had they been shared sooner. It would 
have been more helpful had an established, trusted entity representing the retail 
sector existed, at the time, to receive such information in real time and disseminate 
it to credentialed retail business security officers. 


1 Testimony of Criminal Investigative Division Deputy Special Agent in Charge William 
Noonan, available at: https://www.dhs.gov/news/2014/02l04lwritten-testimony-us-secret-serv- 
ice-senate-committeejudiciary-hearing-titled. 
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One effective mechanism for sharing information, with a proven track record, is 
sector-specific Information Sharing and Analysis Centers (ISACs). In 2006, the De- 
partment of Homeland Security recommended that the Nation’s critical infrastruc- 
ture sectors develop ISACs to more effectively share threat intelligence. Today, the 
National Council of ISACs has 15 member ISACs, including 13 representing or re- 
lated to critical infrastructure sectors. While the retail industry is not critical infra- 
structure, NRF believes that the sector could benefit from taking a similar approach 
to information sharing. ISACs provide a trusted source and repository for critical 
threat information, whether provided by outside organizations or internal members. 

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has 
been a leading example of a model that has assisted one sector in preparing for and 
defending against cybercrime. The FS-ISAC established various forums and tools to 
encourage and support information sharing among its members. Those include e- 
mail alerts that provide timely and actionable cyber threat intelligence, bi-weekly 
threat information sharing calls with security or risk management experts, as well 
as emergency conference calls to share particularly urgent threat intelligence. The 
FS-ISAC also conducts on-line webinar presentations for its members so they can 
share threat information and best practices. Using those tools, the financial services 
industry as a whole can remain aware of the most up-to-date attack prevention 
measures. As outlined in the next sections, NRF has already taken steps to create, 
or is in the planning stages of developing, similar mechanisms to encourage infor- 
mation sharing within the retail industry. The ultimate goal of these endeavors is 
to establish a robust ISAC equivalent for the retail industry. (Retail ISAC) 

STEPS NRF HAS TAKEN TO CREATE A TRUSTED INFORMATION-SHARING PLATFORM 

NRF already brings together senior business, technology, and loss-prevention 
leaders through its Chief Information Officer (CIO) Council. One subcommittee 
within this Council, the IT Security Council, connects information security profes- 
sionals and focuses on, among other goals, promoting information sharing within the 
retail sector. NRF is currently using its authenticated IT Security Council email dis- 
tribution list (and expanding it to also include business leaders from the CIO Coun- 
cil) to push out actionable threat intelligence to the retail industry. While this list 
currently includes only NRF members, the intention is to broaden the list, and 
forthcoming Retail ISAC membership, to non-NRF members as well (meaning all re- 
tailers). 

Another step NRF has taken on the road to creating a Retail ISAC is to collabo- 
rate with, and learn from, the FS-ISAC. NRF has held several meetings with the 
FS-ISAC regarding its structure, communication methods, and policies. These meet- 
ings have allowed NRF to gain insight into how to operate an effective ISAC and 
avoid some of the growing pains that come with the creation of any new entity. As 
a result of these initial discussions, the FS-ISAC and NRF have taken steps to es- 
tablish a mechanism to push out relevant critical threat information from the FS- 
ISAC to NRF for further distribution to its authenticated IT Security Council mem- 
bers. The practical experience of receiving information through an ISAC will allow 
NRF to better understand how information is shared in an ISAC, and what filtering 
is necessary to ensure that useful information is reaching the right parties. 

NRF is also establishing relationships with key Government agencies. The Gov- 
ernment collects valuable information regarding security incidents through its cyber 
crime investigations and broad information sharing activities. NRF has held meet- 
ings with the United States Secret Service to discuss the methods the agency cur- 
rently uses to distribute critical threat information, and how the Retail ISAC could 
become a valued partner. Establishing a Retail ISAC will offer a quicker avenue for 
the USSS (and other law enforcement agencies) to share valuable information with 
the retail industry. 

NRF has also met recently with the National Cybersecurity and Communications 
Integration Center to discuss how the Retail ISAC could receive actionable intel- 
ligence for its members as quickly as possible. The NCCIC is a central communica- 
tions point for critical infrastructure entities, various Government agencies and 
international investigators where cybersecurity information is sent, analyzed, and 
shared with relevant parties in real time. NCClC consists of four branches, includ- 
ing the U.S. Computer Emergency Readiness Team (US-CERT). These connections 
with the USSS and NCCIC are helping to establish an information-sharing bridge 
to the retail industry even as the Retail ISAC is under development. 

Working with trusted advisors, NRF is currently in the planning stages with re- 
spect to a final step in the development of the Retail ISAC: The establishment of 
the technological and operational infrastructure to support a secure portal through 
which members can share information. NRF’s goal is to allow credentialed members 
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to share information of varying levels of sensitivity anonymously, thus allowing the 
Retail ISAC to act as a repository of critical threat, vulnerability, and incident infor- 
mation that is sourced from various members and outside organizations, and to fa- 
cilitate peer-to-peer collaboration with the sharing of risk mitigation best practices 
and cybersecurity research papers. As this final step is resource-intensive and re- 
quires the active participation of its membership, NRF anticipates that it may take 
several months before the Retail ISAC is fully operational. In the mean time, NRF 
has, and will continue to, provide mechanisms and tools for information sharing 
among the retail industry, as outlined above. 

As a final note on information sharing, NRF and its membership recognize that 
full, robust information sharing is sometimes hampered by legal restrictions. Ac- 
cordingly, NRF supports the passage by Congress of the bipartisan “Cyber Intel- 
ligence Sharing and Protection Act” (H.R. 624) so that the commercial sector can 
lawfully share information about cyber threats in real time, thereby enabling com- 
panies to defend their own networks as quickly as possible from cyber attacks that 
are detected by other businesses. 


CONCLUSION 

In closing, there are three important policies that NRF supports. 

First, the members of NRF support replacing today’s fraud-prone mag-stripe and 
signature cards with cards using PINs or open-standard “Chip and PIN” technology. 
NRF also supports efforts to develop and deploy end-to-end encryption or 
tokenization, but is opposed to the adoption of “EMV” technology as mandated for 
the U.S. market, as it presently would not require PIN-authentication of card-hold- 
ers and rely instead on simply a signature to authenticate the consumer. 

Second, NRF supports information sharing within its membership and the retail 
industry about cyber threats and has already taken several steps to create a Retail 
ISAC, and continues to actively engage in making that goal a reality. A retail-fo- 
cused ISAC will allow the industry as a whole to benefit from the information shar- 
ing that is so critical to effectively combat today’s evolving cyber threat. 

Third, we support passage by Congress of the bipartisan “Cyber Intelligence Shar- 
ing and Protection Act” (H.R. 624) legislation that will facilitate the sharing of cyber 
threat information in real time, thereby enabling companies to better defend their 
own networks based on critical information about attacks on other businesses. 

Thank you for your time today. I’d welcome your questions. 

Mr. Meehan. Thank you, Mr. Litchford. 

The Chairman now recognizes Mr. Rhoades for his testimony. 

STATEMENT OF MATTHEW RHOADES, DIRECTOR, CYBER- 
SPACE AND SECURITY PROGRAM, TRUMAN NATIONAL SECU- 
RITY PROJECT AND CENTER FOR NATIONAL POLICY 

Mr. Rhoades. Chairman Meehan, Ranking Member Clarke, Con- 
gressman Fitzpatrick, thank you for having me here today. Infor- 
mation networks provide hope to millions of people around the 
world by creating the conditions for innovation and human pros- 
perity to flourish, while enabling America’s mutually-supportive 
ideals of human rights, freedom, and opportunity. Unfortunately, 
they are also exploited by a variety of actors to further nefarious 
national, criminal, and ideological objectives. 

Frequently these groups, hacktivists, terrorists, criminals, and 
nation-states also overlap, working together towards complimen- 
tary interests, while utilizing the inherent anonymity of cyber- 
space. In short, today’s technologies provide an unprecedented op- 
portunity for humans to reach their full potential, while simulta- 
neously increasing individual and collective security risks. These 
are facts that the Members of this committee know well, but they 
are worth mentioning here today because in cyber space, the dif- 
ference between espionage, crime, and attacks can be as simple as 
intent, or just a few keystrokes. 
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Gaining and maintaining access to a network are the most dif- 
ficult phases of a cyber incident, but once you are in a network, 
whether you spy, steal, or destroy is often a matter of choice. 
Criminals are developing new tools that are more sophisticated and 
more intuitive than previous generations, and then selling them in 
on-line marketplaces. This is lowering the barrier to entry, and giv- 
ing more actors the capability to threaten critical systems. Cyber 
crime, in this way, is connected to both National security, and the 
protection of private information, and no single entity, whether 
Government or business, can secure a domain that extends beyond 
traditional geographic boundaries. Cybersecurity is a shared re- 
sponsibility. 

To ensure our Nation is safe, the Government must coordinate 
the protection of our country’s most critical assets, while law en- 
forcement agencies impose the criminal laws of the United States. 
Governments must also find ways to cooperate with one another on 
investigations. Cyber crimes are often intentionally routed through 
multiple countries, particularly those who provide sanctuaries 
against international investigations. More must be done in the 
international arena to build the capacity of sanctuary states, and 
to discourage others that are complicit in criminal activities. 

Private companies must do their part as well. But in sectors 
where there is no choice in the consumer market, the Government 
should play a larger role in ensuring the security of critical net- 
works. Many companies are collecting, storing, and analyzing infor- 
mation on U.S. citizens. Securing those networks, protecting our in- 
formation, both require the private sector to take better responsi- 
bility for their own security. 

While information-sharing programs do not offer a cybersecurity 
panacea, they can contribute to collective security by creating a 
fuller picture of the threat environment. That said, there is a right 
way to share information, and a wrong way to share information. 
All irrelevant personally identifiable information should be re- 
moved before the information is given to the Federal Government, 
or to other private actors. Information coming into the Federal 
Government should have previously-defined acceptable uses, and 
be given to a civilian agency, and those who participate in informa- 
tion-sharing programs and exhibit negligent behavior should be 
held responsible. Getting this right matters. The way we build our 
domestic programs will have privacy and civil liberties implications 
for Americans here at home, but also for human rights activists 
and dissidents abroad. 

The unfortunate reality of cyber is that, given enough time, re- 
sources, sophistication, and motivation, an attacker will gain access 
to a network. As people become more dependent upon technology, 
the opportunities for crime, espionage, and physical disruption will 
increase. But by implementing commonly-held best practices, we 
can protect the great majority of our networks, secure our personal 
information, and allow our security agencies to focus on preventing 
attacks to critical systems. 

Thank you for the opportunity to join you today, and I look for- 
ward to your questions. 

[The prepared statement of Mr. Rhoades follows:] 
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Prepared Statement of Matthew Rhoades 
April 16, 2014 

Chairman Meehan, Ranking Member Clarke, Members of the committee: Thank 
you for inviting me to appear today to discuss how the public and private sectors 
can work together to increase cybersecurity. 

Currently, I serve as the director of the Cyberspace and Security Program at the 
Truman National Security Project and Center for National Policy. Together, these 
two organizations represent more than 1,300 members with an expertise in numer- 
ous security issues — including cybersecurity — and a dedication to forging strong, 
smart, and principled National security policy for America. 

The rapid development of information networks over the past 30 years has al- 
lowed individuals and nations to grow and prosper. Today, our small businesses are 
global enterprises — reaching markets and customers on the other side of the world 
with the click of a mouse. The internet invigorates economic progress and helps peo- 
ple rise out of a cycle of poverty in the developing world. 

These tools also enable the expansion of America’s mutually supportive ideals: 
Human rights, freedom, and opportunity. Using the internet, democracy activists in 
nations ruled by oppressive regimes can organize to petition for their fundamental 
rights; vulnerable populations in conflict-ravaged areas can show the world the bru- 
tality of their own governments; and individuals can seek out new ideas to challenge 
their own beliefs. 

New technologies are providing hope to millions by creating the conditions for in- 
novation and human prosperity to flourish. Unfortunately, they are also being ex- 
ploited by a variety of actors to further nefarious national, criminal, and ideological 
objectives. 

Hacktivists — or on-line demonstrators — use information networks to target oppo- 
nents and draw attention to a political cause. Terrorists use information networks 
to spread their propaganda and recruit others to help commit acts of violence. 
Criminal organizations use the internet to steal from individuals and organizations 
all over the world and turn another’s loss into their financial gain. Finally, nation- 
states leverage these capabilities to spy on, steal from, and potentially attack their 
adversaries. 

Frequently, these groups — hacktivists, terrorists, criminal organizations, and na- 
tion-states — also overlap, working together towards complimentary interests while 
utilizing the inherent anonymity of cyber space to make attribution even more dif- 
ficult. 

With each new day, the number of actors with access to these tools increases and, 
as a result, so does the number of potential victims. Roughly 90% of the world’s data 
has been generated in the last 2 years. 1 As more information is generated, confiden- 
tiality and privacy grow more vulnerable. Governments are losing once closely-held 
state secrets; companies are finding their intellectual property suddenly in the 
hands of competitors on the other side of the world; and individuals are losing con- 
trol over their private information. 

According to Symantec’s “Internet Security Threat Report 2014,” the number of 
breaches increased by 62% in 2013 with a total of over 552 million identities com- 
promised. 2 Additionally, targeted attacks grew by 91% and are increasingly aimed 
at small businesses. 3 

And as we are all aware, the recent, highly-publicized breach at Target — the sec- 
ond-largest retailer in the United States — compromised personal information on 70 
million customers by using software that may have cost less than $2,500 at an on- 
line marketplace. 4 Today, cyber criminals can use relatively easy-to-find software to 
make outsized gains. 

The Target example shows that even the largest companies with vast resources 
are vulnerable. Frequently, they are unaware that a breach has even occurred. One 
security provider recently announced that in 2013 the median number of days 
attackers were present in a network prior to discovery was 229 days. That is actu- 
ally 14 days less than the 2012 median. 5 


1 Science Daily, “Big Data, for better or worse: 90% of world’s data generated over last two 
years,” 22 May 2013, http://www.sciencedaily.com/releasesl2013/05ll30522085217.htm. 

2 Symantec Corporation, Internet Security Threat Report 2014; Volume 19, p. 5. 

3 Ibid, p. 5 & p. 18. 

4 Chris Smith, “Expert who first revealed massive Target breach tells us how it happened,” 
16 January 2004, http:/ / bgr.com / 2014 / 01 / 16 / how-was-target-hacked / . 

5 Mandiant, MTrends: Beyond the Breach, p.l. 
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In short, today’s technologies provide an unprecedented opportunity for humans 
to reach their full potential while simultaneously increasing individual and collec- 
tive security risks. 

These are facts that the Members of this committee know well, and they are 
broader than the scope of this hearing. But they are worth mentioning in this con- 
text because in cyber space, the difference between espionage, crime, and attack can 
be as simple as intent, or just a few keystrokes. 

Gaining and maintaining access to a network are the most difficult phases of a 
cyber incident. Adversaries spend a great amount of time, energy, and resources to 
seek out and secure vulnerabilities that provide access. But once they are in the net- 
work, whether they spy, steal, or destroy is a matter of choice. 

Furthermore, criminals are developing new tools that are more sophisticated and 
more intuitive than previous generations, and then selling them in on-line market- 
places. This reality is lowering the barriers to network entry and giving more mali- 
cious actors the capability to threaten critical systems, in both the private and pub- 
lic sectors. 

Cyber crime, therefore, is linked to National security and the protection of private 
information. All of the actors using cyber space for illegitimate means need 
vulnerabilities to exploit, and no single entity — whether Government or business — 
can secure a domain that extends beyond traditional geographic boundaries. In 
cyber space, one weak link can compromise the security of the entire system. Cyber- 
security is a shared responsibility. 

To ensure our Nation is safe, the Government must coordinate the protection of 
our country’s most critical assets against sophisticated, destructive attacks while 
law enforcement agencies impose the criminal laws of the United States in the cyber 
domain. Through the development of new tools and the continued maturation of the 
National Cybersecurity and Communications Integration Center (NCCIC), the De- 
partment of Homeland Security (DHS) is addressing this responsibility. 

But more can be done. For example, the effectiveness of the NCClC is directly 
tied to the level of participation by other Federal agencies. Yet, those agencies are 
not currently required to share information with DHS. If we are going to task DHS 
with the responsibility for leading the protection of Federal civilian agencies, then 
we must give them the authorities required to be successful. 

Governments must also find ways to cooperate with one another on investigations. 
Cyber crimes are often intentionally routed through multiple countries, particularly 
those who provide sanctuaries against international investigations. When an inves- 
tigation leads to a new jurisdiction, the investigators are suddenly at the mercy of 
another government. More must be done in the international arena to build the ca- 
pacity of nations that do not want to be criminal sanctuaries and to discourage oth- 
ers that are complicit in criminal activities originating in their territory . 6 

Private companies must do their part as well. Most of this country’s critical infra- 
structure is privately-owned and operated, but market forces alone have yet to 
incentivize broad-scale use of cyber risk management strategies. Many companies 
are working to protect their networks, but too many are not doing enough. And in 
sectors where there is no choice in the consumer market — where a public good is 
being provided by a private actor — the Government should play a larger role in en- 
suring the security of critical networks. 

Additionally, many companies are collecting, storing, and analyzing information 
on U.S. citizens. This information deciphers everything from our travel habits to our 
personal interests. Securing our most important networks and protecting our per- 
sonal information requires the private sector to take better responsibility for their 
own security. 

Finally, individuals have to take responsibility for our on-line behavior as well. 
Although there are sophisticated hackers at work, most compromises take advan- 
tage of existing vulnerabilities that have not been patched but could have been. The 
more hardened a target becomes, the more likely a hacker will look for a less secure, 
peripheral target as a means to get in. This is likely the reason that targeted at- 
tacks are increasingly focused on small businesses. We must contribute to a culture 
of security that is respectful of the rights of others, while contributing to the secu- 
rity of the whole system. 

Universities across the country, including Drexel University here in Philadelphia, 
are developing educational programs to ensure the next generation is prepared to 
combat cybersecurity threats. These are important initiatives that warrant support. 
However, it will take a generation for them to fully bear fruit. More also needs to 


6 Richard A. Clarke, Securing Cyberspace Through International Norms: Recommendations for 
Policymakers and the Private Sector, Good Harbor Risk Management, LLC, p. 23. 
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be done to make today’s users aware of the risks associated with their on-line be- 
havior. 

Getting this model of collaborative security correct is dependent upon trust. Gov- 
ernments and private entities must work together to mitigate threats. Both, how- 
ever, are collecting vast quantities of information on individuals. The more informa- 
tion they store in their databases, the more attractive those databases become to 
criminals. What they share and how they share has serious privacy and civil lib- 
erties consequences for individual consumers. 

While information-sharing programs do not offer a cybersecurity panacea, they 
can contribute to collective security by creating a fuller picture of the threat land- 
scape. That said, there is a right way to share information and a wrong way to 
share information. All irrelevant personally identifiable information should be re- 
moved before the information is given to the Federal Government or another private 
actor. Information coming into the Federal Government should have previously-de- 
fined acceptable uses and be given to a civilian agency. And those who participate 
in the program and exhibit negligent behavior should be held responsible. Getting 
this right matters: The way we build our domestic programs will have privacy and 
civil liberties consequences for Americans and for human rights activists and dis- 
sidents overseas. 

The reality is that given enough time, resources, sophistication, and motivation, 
an attacker will gain access to a network. And as people become more dependent 
upon technology, the opportunities for crime, espionage, and physical disruption will 
only increase. But with collaboration built upon trust, I believe we can reduce our 
vulnerabilities. By implementing commonly-held best practices, we can protect the 
great majority of our networks, secure our personal information, and allow our secu- 
rity agencies to focus on preventing sophisticated attacks against our most critical 
networks. And, in the end, we can more fully realize the potential of new tech- 
nologies to expand freedom and opportunity at home and abroad. 

Thank you for the opportunity to join you today, I look forward to answering any 
of your questions. 

Mr. Meehan. I thank each of the panelists for your testimony, 
and your full written statements will become part of the record, so 
I now recognize myself for 5 minutes of questioning. 

Mr. Peters, thank you for taking the time to be here with us 
today, representing not only your bank, but many smaller to mid- 
sized institutions as well. I was struck by the figure that you gave 
me, a million dollars that you are spending at a relatively sophisti- 
cated bank in and of itself, but relatively, you know, smaller, com- 
pared to the big New Yorks, or — that is a million dollars off the 
bottom line. That is a lot of investment. Can you tell me how you 
are using that kind of an investment, and how you make the 
choices about where to, you know, put those kinds of decisions 
about what you use, and what you rely on to come from other 
places? 

Mr. Peters. Well, a lot of it, Mr. Meehan, is a risk-reward type 
thing. We spend a million dollars. We could probably spend two or 
three if we wanted to. It goes really basically for software. I men- 
tioned multi-level protection. That is the most important thing, is 
you have three or four different layers, and they all look at things 
differently, and that will kind-of catch things. We use a lot of out- 
side vendors who come in and do intrusion tests on us. We have 
19 people in our IT department, whatever — and it sort of points up 
a point which Mr. Fitzpatrick brought up a second ago, about — how 
about small banks, or how about small businesses? That is really, 
you know, we are fortunate we are large enough — we spend a mil- 
lion dollars, and we can afford to spend it. But you get a bank that 
is a $3- or $400 million bank, or you get a small business with 25 
or 50 employees, they have a lot of trouble spending that type of 
money for this, and I think that is really one of the real challenges 
which we have going forward. 
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We do not see, by the way, that decreasing going forward. If we 
are — we spent a million dollars last year. We probably spent 
$800,000 the year before, and I think this year the budget is a $1.2 
million or $1.3 million. So we are going to see this continue to esca- 
late. 

Mr. Meehan. Now, do you issue credit cards and other things out 
of your institution? 

Mr. Peters. We do not issue a credit card. Banks our size usu- 
ally don’t. There are usually five or six large banks in the country 
that issue them. However, we do issue debit cards, and, of course, 
they get compromised. On the Target situation that happened, we 
had to replace over 1,000 cards, and to, once again, Mr. 
Fitzpatrick — accommodation cost us $5 or $6 to replace that card. 
Everybody has to be personally called. They have to come into the 
bank personally to replace it, and there is a lot of inconvenience 
and time. We get no — absolutely no compensation for that at all, 
and this happens many, many times during the year. 

But we see — very frequently we see compromised debit cards. It 
could — Target is obviously the most visible one, but there have 
been lots of other little ones around that we get reports on once a 
month. You know, your — at least 50 cards have been compromised. 

Mr. Meehan. I think that is one of the points that is made, is, 
notwithstanding that sometimes a lot of identities are taken, that 
the — turning that into some sort of a compromised situation still 
takes a few more steps. So a lot of names are sold, but then we 
see phishing, and other kinds of things that take place to try to get 
that identity to themselves do something that allows them to be 
further compromised. Isn’t that right, Mr. Litchford? 

Mr. Litchford. Right. Well, I — and I think the previous panel 
addressed the fact that consumers need to be educated too, and to 
protect their sensitive data. But, at the same time, in terms of the 
retail breaches, the data that they are getting alone is not enough 
for identity theft. It is primarily the card numbers that they are 
after. What the bad actors do is then, in turn, sell those numbers 
in bulk. As you know, with the current technology of those cards, 
it is very easy to then go make a counterfeit card. Because we are 
using signature as the second form of authentication, it is very 
easy for them then to go commit fraud with those numbers. 

So the costs here are on the banks and the retailer side. At most, 
the consumers are probably inconvenienced. I mean, I, for one, was 
part of the Target breach, and Chase replaced my card, and I had 
to go through and update my auto payments, and things like that. 
So it was more of an inconvenience at the consumer level, but the 
cost of that fraud is being borne by the commercial businesses, 
such as banks and retailers. 

Mr. Meehan. Now, you have also mentioned the idea of the tech- 
nology, 50-year-old technology. What is the solution with respect to 
the cards? You mentioned what is happening in Europe, but that 
isn’t a preferred solution for you. What is the 

Mr. Litchford. Right. 

Mr. Meehan [continuing]. Solution? 

Mr. Litchford. I think there are a couple things. I mean, first, 
you know, just back to EMV, to understand, EMV was created over 
20 years ago to address a problem outside of the United States that 
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was not a particular issue in the United States. When that tech- 
nology was developed, it had no inkling of this thing called the 
internet, or e-commerce, or now what is called emerging mobile 
commerce, with mobile payments. So that technology is designed to 
only stop counterfeit cards predominantly. Or if I were to lose the 
card, and you were to pick that card up and try to use it, it would 
stop that, because it has a PIN on it, right? 

So with that, if the cost to implement that type of technology in 
the United States, which we anticipate on the retailer side alone 
is over $30 billion 

Mr. Meehan. Why so much? 

Mr. Litchford. Because of the cost of replacing the equipment 
and software, and training at the stores. There is — again, the cost 
is anticipated to be anywhere from, I think, $500 to $1,500 per 
lane. So when you are in a retailer, they are having to replace not 
just the hardware, but train their people how to use it, replace the 
software that handle the systems, and things like that. 

So, again, we just believe that that money could be better spent 
addressing the entire ecosystem, not just part — present situations, 
such as in stores, but also to start looking at 

Mr. Meehan. Well, what is the entire situation? Because as you 
are speaking, I am considering the idea. I am thinking 

Mr. Litchford. Yeah. 

Mr. Meehan [continuing]. In the one sense, why wouldn’t we be 
moving forward into newer technology? But, at the same time, if 
you are spending $30 billion to do this, the dynamic nature of — are 
they going to find some other way to get into the middle of that 
transaction, so it is not done at the counter, but it is done some 
other 

Mr. Litchford. Right. 

Mr. Meehan [continuing]. Part 

Mr. Litchford. So EMV, as a technology, the card number is 
still in the clear, just so you know. The encrypted portion of EMV 
is just to validate that the card is the real deal, this is not a coun- 
terfeit card. So we could still potentially see those — they are called 
PANs, or personal account numbers, exposed, and then used to do 
transactions in other environments, such as on-line or mobile. 
Which is where, frankly, the industry or — and consumers are 
going. 

So, you know, even where EMV has been deployed, you know, we 
are quick to tout, yes, we have stopped all this fraud in our stores, 
but we have moved the equal percentage to on-line environments, 
so the fraudsters will go to where they can easily monetize the 
data. So, from a retailer’s perspective, what we want to do is — we 
know this cyber war we are in is a war that is going to be a con- 
tinual war. The goal is not necessarily to stop breaches, but to stop 
their ability to monetize any data that they would get from that 
breach. 

So retailers are already taking steps now to try to eliminate any 
of that sensitive data within their systems. As an example, I am 
already seeing many retailers start to invest in significant cost into 
something called encryption and tokenization. So once I swipe my 
card at the retailer’s terminals, it is immediately encrypted, so that 
that number is no longer in the clear. Of course, we have to work 



52 


with financial institutions to handle things like that, as well as 
tokenization. 

So, again, you know, I think the money — another thing you can 
do, by the way, is, on your current mag stripe card, is you could 
simply put a PIN on that today, and that would have probably 
stopped most of the fraud that is occurring in the United States. 
So, again, our position is we would like to see the entire payment 
ecosystem addressed, not just focus on a particular piece of that. 
Even then the focus is on — at least what the cards are pushing 
down on retailers is not even to have PINs. They want to just put 
a chipped card out there, and still allow you to use your signature 
for that. So we think that is not a full solution. 

Mr. Meehan. Well, I thank you. My time is expired, and I will 
turn to the gentlelady from New York. 

Ms. Clarke. I thank you, Mr. Chairman. I want to also thank 
our expert panelists, and say — and respond to Mr. Peters, and your 
earliest salutation to me, that hope springs eternal. 

Mr. Peters. Right. 

Ms. Clarke. The private sector’s focus is on the development and 
implementation of technology systems to protect computer intru- 
sions and malicious code, internet fraud, spam, and if a crime does 
occur, to detect it, and gather admissible evidence for an investiga- 
tion. The private entities that focus on these technological efforts 
include internet service providers, security vendors, software devel- 
opers, and computer forensic vendors. 

Internet service providers offer businesses and home users var- 
ious levels of access to the internet, and other internet-related serv- 
ices, such as customer support, and spam and virus protection. Pro- 
viders also assist law enforcement by monitoring and providing in- 
formation on selected internet activities, and provide technical ex- 
pertise. 

How does a company who employs the services of security ven- 
dors decide when to report a cyber crime, and when to allow or en- 
courage its security vendors to cooperate with law enforcement in 
the investigation and prosecution of a cyber crime? Can you give 
a sense of, you know, how does it all come together, and, you know, 
what is that moment where it sort of says, eureka, let us move in 
this immediately, because it is me now, it could be someone else 
in the next 

Mr. Peters. If I could start? Yeah, first of all, we report every- 
thing. We are required, as a financial institution, to file something 
called suspicious activity reports, SARs, with the Federal Govern- 
ment anytime anything happens. It could be somebody who is try- 
ing to launder cash through a teller, but in many cases now, actu- 
ally, it is computer fraud. There is identity theft. I think last year 
we stopped 14 cases of identity theft at our bank. Unfortunately, 
one did get through. On the other hand, we get 30 attacks a night, 
30 attacks in our computer system a night. Most of them are from 
China. 

So we actually report everything to the Federal Government. We 
are required to do that, and we do that, and to local law enforce- 
ment. If something has identity theft, we will go to the local au- 
thorities, usually our township folks, and report that to the police 
department. 
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Mr. Litchford. Yes. So, again, in retail, the predominant data 
that these bad actors are going after is credit card information, and 
many times it is not the retailer that knows that the — that a crime 
is occurring. It is typically, for example, our financial institution 
friends that have pretty decent algorithms for what is going on 
with fraud, that they are able to then, for example, call a retailer 
and say, we suspect something is going on. Then at that time — I 
am — can’t speak for all retailers, but I assume that the law en- 
forcement is then engaged. 

One of the problems that we have in retail is the myriad of laws 
that they have to abide by, not only in the United States. I believe 
it, and I hope I get the numbers right, I think it is 47 States, plus 
the District of Columbia, have different uniform breach notification 
laws. So one of the — so you can imagine now what a retailer is try- 
ing to go through to figure out, you know, how do I respond to this 
State versus that State. Then — so part of the thing — things our 
members, and NRF, is for is a uniform breach notification law. 

Ms. Clarke. That is interesting. I had no idea that it was based 
on the States how you go about reporting. Very well. 

Mr. Litchford. Right. 

Ms. Clarke. Then, when you think about the fact that many re- 
tailers are also international now, it adds another layer of 

Mr. Litchford. Yes. 

Ms. Clarke. Challenge. 

Mr. Litchford. Yes. 

Ms. Clarke. I wanted to just revisit with you a moment the 
whole idea of chip and PIN. 

Mr. Litchford. Um-hum. 

Ms. Clarke. It is a global standard, and we seem to be the 
outlier, as the United States. As you have spoken about your think- 
ing around it, you talked about the idea of the mobile and the on- 
line — 

Mr. Litchford. Um-hum. 

Ms. Clarke [continuing]. Purchasing, particularly when it comes 
to retail items. How does that impact on our industry, the fact that 
we are outliers with the swipe and signature, versus the chip and 
PIN? 

Mr. Litchford. Right. 

Ms. Clarke [continuing]. You give us a better sense of that? 

Mr. Litchford. Well, I think the obvious impact is the bad ac- 
tors have come to the United States to get that data now, because 
it is a place that is green pastures for them, and then they can 
breach systems, get the data, and then easily monetize it. So, 
again, the challenge here is what can we do with the current mag 
stripe technology to try to reduce some of the fraud that does occur 
when the data is breached? So I could simply put a PIN on a mag 
stripe today, and pretty much stop a lot of the fraud that is going 
on, because even if they made a counterfeit card, they would not 
necessarily have the PIN that goes with that card. 

The other issues, you know, with EMV, again, is they are pro- 
posing in the United States not to — they are calling it chip and sig- 
nature, or chip and choice, which everywhere else in the world is 
chip and PIN. So we are wondering what — why do you not want 
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a PIN? What is the problem here? We know PINs are the way to 
safeguard things, whether it is on a mag stripe or a chip card. 

Then a further potential issue we have with EMV is it is a pro- 
prietary standard, meaning it was developed by the cards them- 
selves. With that, today, retailers, there are two rails, so to speak, 
that you go over for your authentication, or your authorization. 
One would be — what — you might think is the credit rail, and the 
other is the debit rail. What is really going on behind the scenes 
is you have a signature authorization, or a PIN authorization. 
When that transaction is a PIN authorization, retailers today have 
choice of about 18 different providers that they can go to, based on 
the fees that are going to be charged to them for that authoriza- 
tion. EMV does away with that. The debit routing is determined by 
the card itself, therefore, by the issuer, not the retailers. 

Ms. Clarke. That is interesting. Is there an advantage to being 
in a separate system all to ourselves, in terms of these retail trans- 
actions? In other words, that is driven by the card, versus, I don’t 
know, the public, or the 

Mr. Litchford. Right. 

Ms. Clarke [continuing]. Retailers, or — I mean, when you think 
about the fact that everywhere else, you know, for the most part, 
we are dealing with chip and PIN. Is there an advantage to us 
maintaining our own uniqueness, if you 

Mr. Litchford. Right. Well, and keep in mind, at the time of 
EMV, the United States was far along, and well ahead, in the so- 
phistication of our payment networks, versus the rest of the world. 
Today, keep in mind, if you see an EMV card from somewhere else 
in the world, or even many U.S. cardholders have EMV cards be- 
cause they travel internationally, if you look on the back, it still 
has a mag stripe on it, right? 

Going forward, even if we were to pursue that technology in the 
United States for at least 5 years or so, those cards are still going 
to have mag stripes on the back of them for transitional purposes. 
So I am not going to see benefit from Day 1 of deploying EMV tech- 
nology. That is why I made the comment that you could put PINs 
on credit — on mag stripe cards today and pretty much immediately 
see an impact, not having to wait for this transitional period, and 
then use those investment dollars to address the entire payment 
ecosystem, not just what we call a card present, or in-store trans- 
action. 

Ms. Clarke. Thank you. Mr. Chairman, I thank you for your in- 
dulgence, and yield back. 

Mr. Meehan. I thank the gentlelady. Turn to Mr. Fitzpatrick, 
from Bucks County. 

Mr. Fitzpatrick. Mr. Litchford, isn’t one of the issues with this 
chip and PIN, or chip and choice, the — in terms of economies and 
scale, and smaller merchants, the cost of new technology require- 
ments and terminals? 

Mr. Litchford. Um-hum. 

Mr. Fitzpatrick. Can you elaborate on that? 

Mr. Litchford. Well, again, we have estimated the cost to be, 
you know, somewhere in the lines of $600 to $1,500 per terminal 
on the retailer side to deploy the ability to accept EMV cards. Is 
that the question? Again, that is just in retailers, right? So keep 



55 


in mind, if we deploy EMV technology, there are many, many other 
types of businesses that take credit cards that will also have to up- 
grade their infrastructures, as well as the financial institutions 
themselves. They have all the ATMs out there that they need to 
replace. So there are just huge and significant costs involved. 

Mr. Fitzpatrick. So retailers just consider it cost of doing busi- 
ness, part of the security costs going forward? But should there be 
a recognition on the difference between a large-scale retailer, like 
Target, versus a smaller mom-and-pop operation? 

Mr. Litchford. I am not sure what you are asking there. I 
mean, the cost is the cost. I think when you look at the retailers, 
the larger ones, like Walmart, for example, are already ready for 
EMV, predominantly because they are a global retailer, and they 
use standardized deployment of POS systems. So whatever they de- 
ploy to the United Kingdom gets deployed to the United States, so 
therefore they are already ready for EMV. 

Mr. Fitzpatrick. Back to your previous testimony, I think what 
you said is that we need to recognize that, in the future, there will 
be cyber attacks, and some of those attacks will be successful, but 
the real key is trying to determine the best way to minimize the 
damage, and precluding any monetizing of that information in the 
future. 

Mr. Litchford. Right. 

Mr. Fitzpatrick. It has now been 5 months since the successful 
attacks on the Target operation. What have we learned, and what 
have we changed, as a Nation, in those 5 months? 

Mr. Litchford. Um-hum. Well, again, I think one of the biggest 
things that, from the retail perspective, we are calling for is the 
lack of information, and the lack of critical information getting to 
us relatively speedy. As an example, from the Target breach itself, 
the first data that we had that we could disseminate to our mem- 
bers was January 16. In the mean time, we know, through these 
ISACs, that data was being exchanged. But my members were call- 
ing, you know, what can I do? How do I know that I have not got 
the same malware problem? 

As soon as we got that data, NRF did a webinar with Eyesight 
Partners, who was one of the publishers of the paper, to our mem- 
bers, and walked them through. This was a very technical call. 
These are the signatures you need to look for, these are the DLLs 
you need to look for. But, again, that was a month after Target was 
announced, right? So one of the things, based on that learning, that 
we are moving forward with is this establishment of a retail ISAC. 

So even though retail is not identified as a critical infrastructure, 
we are going to go ahead and develop this ISAC. We are working 
with financial services ISAC, the Secret Service, NCCICS, and U.S. 
CERC to make sure that we get this up and running. In the mean 
time, we are establishing a listserv to push data out one way. As 
soon as that is up, which we expect to be in the next week or so, 
that will then be immediately fed with TLP White and TLP Green 
alerts. Are you familiar with the traffic light protocol? So green is 
information that is shareable to the public — or white is to the pub- 
lic, green is to the community. But the amber and red alerts I am 
not able to push out yet. So as NCCICS is pushing out these alerts 
in real time, I cannot share those until I get to a full-blown ISAC. 
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But this whole concept of sharing and collaboration is just huge, 
and getting as near-real-time as we can, because the goal is we 
don’t want to be reactive. We want to get proactive, so we want to 
know everything we can coming from all the services that provide 
this type of information, so that we can then take a proactive 
stance to protect our systems. 

Mr. Fitzpatrick. Special Agent Quinn from the FBI indicated in 
his testimony that some institutions would be reluctant from re- 
porting. Now, Mr. Peters, you talked about, in your industry, you 
are required to report. 

Mr. Peters. Yes. 

Mr. Fitzpatrick. The FBI — he indicated some might be reluctant 
to support, I suspect because competitors would take advantage of 
that lapse in security. Is that your understanding? 

Mr. Peters. I don’t know that I can speak to the reluctance. I 
mean, one of the things, from working with the Secret Service, is 
these Electronic Crimes Task Force, and getting that information 
out to the retailers so that they establish a relationship with that 
organization, so that, when they do get the call, it is not nec- 
essarily, you know, hello, this is the Secret Service calling you. It 
is, hello, this is Ari calling you, yeah, what is up? We have that 
ability, and that relationship, so that we are comfortable now work- 
ing with law enforcement and moving forward. 

Again, from the breach notification perspective, it is the problem 
of all the different laws in the States that we have, that we are 
trying to now figure out, what do I have to do? 

Mr. Fitzpatrick. Thank you. 

Mr. Meehan. I thank Mr. Fitzpatrick. Let me just ask a follow- 
up question. Mr. Rhoades, you — your testimony speaks to an issue 
which, as I alluded to in my first line of questioning with the ear- 
lier panel, but it is still — again, it is very, very disconcerting that 
the median time 

Mr. Rhoades. Um-hum. 

Mr. Meehan [continuing]. That — days before someone appre- 
ciates businesses or otherwise that there is, you know, there is ac- 
tivity within — inside their networks is 229 days, median, before it 
is recognized. In addition, we are seeing, particularly from the 
Eastern European, that, once in the system, they are using that 
window to create software that mimics the actual operation of the 
entity 

Mr. Rhoades. Um-hum. 

Mr. Meehan [continuing]. Which makes it even more difficult. So 
are we walking into a period here where detection is going to be- 
come increasingly more difficult, and longer, and therefore a great- 
er opportunity for compromise? 

Mr. Rhoades. I don’t know if detection will become longer. The 
report that I cited in my written testimony, the 229 days, while 
staggering and very long, was actually an improvement over what 
that security provider had found in the previous year by about 2 
weeks. The adversaries are becoming more sophisticated, though, 
so it may be more difficult to notice them. This is especially true 
for — you mentioned earlier a non-profit. There has been some con- 
versation around small businesses. One of the things — the previous 
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panel was enlightening. I thought one of the things that was miss- 
ing was the human power that is required to do these things. 

So, technology is nice. Technology really, in this space, only en- 
ables policies and processes for an individual, business, or entity to 
protect itself. Cybersecurity, at its core, eventually comes down to 
people. So, to have trained people to understand when they receive 
information from others, how they can actually incorporate that 
and protect their networks, to have people that are trained to use 
the technologies that they have so that they can detect anomalies 
in their networks, I think that is the fundamental challenge, espe- 
cially with small businesses and non-profits. That is the biggest 
challenge for these actors getting more sophisticated. 

I think the technologies will advance to be able to pick up some 
of these network anomalies, but do you have an individual on the 
other side watching that that can sort of understand what to do 
with that information? 

Mr. Meehan. Let me take it from the other side, which is the 
information that is collected. I mean, we are now dealing collec- 
tively in Washington with an issue regarding personal information, 
the recognition that the Government, in certain capacities, may be 
tracking if you made a phone call. 

Mr. Rhoades. Um-hum. 

Mr. Meehan. Yet what strikes me is, while that is an important 
privacy question that we have to deal with, the wealth of informa- 
tion that is being collected about our activities out there in the 
cyber world, consumer world, or wherever, is overwhelming 

Mr. Rhoades. Um-hum. 

Mr. Meehan [continuing]. So much so that people are looking at 
tendencies, they are looking at the ability to know a great deal 
more about us than ever before. So where is the boundary with re- 
spect to what is appropriate to collect about individuals without a 
corresponding obligation 

Mr. Rhoades. Right. 

Mr. Meehan [continuing]. For security? Looking at the Univer- 
sity of Maryland situation, where, you know, they kept legacy in- 
formation for some 300,000 people, where is there some cyber hy- 
giene going where people are determining that, you know, a certain 
amount of information is all that is needed, and we are going to 
excise all the unnecessary information? Seems we are going in op- 
posite directions. 

Mr. Rhoades. Yeah, I think certainly the individual is losing 
control over our private information going forward. I can remember 
the first time I was at a particular retailer, and I purchased a bot- 
tle of wine, and they scanned my driver’s license. That was without 
asking. That was just part of their policy. I wasn’t given the oppor- 
tunity to necessarily agree or disagree with it, or to question what 
information was being collected. I still, to this day, am not quite 
sure what they store for how long, and how it is used. That is a — 
that is not to pick on a particular retailer. I think that is now a 
common case, that there are entities, some legitimate, some illegit- 
imate, that are taking this information and using it to monetize. 

So I think this is — there is a new emphasis, particularly over the 
course of the past 12 months, in the American public dialogue on 
privacy and civil liberties. I think, as these technologies advance, 
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we need a broader National conversation about what we feel is ap- 
propriate, and we feel is maybe too much, and to find a way for 
individuals to somehow gain a little bit, or feel they have gained 
a little bit more control over their private information. 

Mr. Meehan. Who controls that? Who becomes the arbiter of 
that, and how is that enforced? 

Mr. Rhoades. Well, the overall arbiter, ideally, would be the 
American people. Having this conversation, particularly through 
you all, our representatives, and deciding what is appropriate, and 
what is not. That often does not — is not the way things work, I un- 
derstand that, but I think that this is where we, as average citi- 
zens, particularly look to you to represent our best interests. 

Mr. Meehan. Well, I thank you. Do any of my colleagues have 
any follow-up questions? Chairman recognizes Ms. Clarke. 

Ms. Clarke. Thank you, Mr. Chairman, and I want to agree 
with you on the need to have this conversation. I wonder how much 
of this debate is generational 

Mr. Rhoades. Um-hum. 

Ms. Clarke [continuing]. Simply because younger people live 
their lives through this medium 

Mr. Rhoades. Um-hum. 

Ms. Clarke [continuing]. In a way that perhaps my parents, and 
even me, to a certain degree, don’t. You know, I am a hybrid. My 
mom is all-in now, she is texting. But, you know, there is a con- 
versation that needs to be had, because things that we believe are 
private, young people don’t necessarily believe the same thing. So 
when you transfer that into the final arbiter, which in — oftentimes 
are the courts now, the application of current day law to what they 
are actually doing, there is a disconnect. You know, because — there 
is almost a voluntary surrender of privacy through this medium in 
certain parts of the internet, social networking, for instance, and 
so that conversation needs to happen, because I am just concerned 
that we establish a standard so that people can then gauge them- 
selves accordingly. I think at a certain point it is going to become 
almost moot, because everyone’s information is going to be out 
there, so it is going to cancel out. 

But, having said that, data breaches involve personally identifi- 
able information, as the Chairman has stated, and under many cir- 
cumstances, and for many reasons, they can be inadvertent, such 
as from the loss of an electronic device, or deliberate, such as from 
a theft of a device, or a cyber-based attack by a malicious indi- 
vidual or group for a nation, a terrorist, or the adversary. Incidents 
have been reported at a wide range of public-private sector institu- 
tions, including Federal, State, local government agencies, edu- 
cational institutions, hospitals, other medical facilities, financial in- 
stitutions, retailers, et cetera. 

The loss or unauthorized disclosure or alteration of the informa- 
tion residing in private and public systems, which include this PII, 
can lead to serious consequences and substantial harm to individ- 
uals in the Nation. It is critical that not only Federal agencies, but 
privately-owned companies also protect their systems, and the in- 
formation on them, and to respond to data breaches and cyber inci- 
dents when they occur. The President asked, in his cybersecurity 
Executive Order, 136-36, that there be a separate section on pri- 
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vacy, civil liberty protections, and PII. It contains a new subsection, 
entitled, “Methodology To Protect Privacy and Civil Liberties”, and 
is Appendix B of the primary framework. 

Could you give us an update 

Mr. Rhoades. Um-hum. 

Ms. Clarke. You know, I threw out sort-of my thinking, and, you 
know, I am left-handed. But, you know, what do you think the up- 
date on the discussion is, and the collaboration among public and 
private entities regarding privacy and civil liberty concerns? 

Mr. Rhoades. Sure. So, as you mentioned, in the Executive 
Order the President asked, through the programs that are imple- 
mented under that Order, for the senior privacy and civil liberties 
officers at each of the agencies involved to look at those programs 
and do a risk-based assessment, in terms of privacy and civil lib- 
erties, and to offer some strategies going forward to mitigate some 
of those risks. 

I believe earlier this week, or it may have been last week, the 
Department of Homeland Security released its first assessment of 
that, which, to me, it — I think that is an important point for two 
reasons. No. 1, it gives, for those of you who do oversight over the 
administration, the opportunity to sort of baseline these things, 
look at some of their recommendations that are in-house, and then 
follow those as we go forward to ensure they have been imple- 
mented. 

But I also think that is an important document strictly from an 
emphasis on privacy and civil liberties. The specific recommenda- 
tions didn’t necessarily stand out to me as game changers, but in 
terms of getting overall cybersecurity right, this is a real challenge, 
in that it requires trust at every level. 

I think, through both panels of this hearing, we have heard there 
are multiple levers of — level of users, from nation-states, to big cor- 
porations, to small corporations, to non-profits, to individual end- 
users. I agree with the Chairman when he said that this is a 
shared responsibility, so all of these levels must work together. 
Frankly, here we have seen less trust from the average American 
citizen to the Federal Government. So I think it is important do- 
mestically to start to rebuild some of that trust, particularly in 
light of the National conversation over the last year. 

I also think it is really important internationally, because, as I 
said, we are the first generation to sort of try to develop the doc- 
trines and the concepts around these new technologies. The fact is 
the rest of the world is watching us as we struggle to come up with 
those ideas. How we do things here in the United States is going 
to greatly affect the next Green Movement in Iran, the next Tahrir 
Square, so we need to be very cognizant of those as well if we do 
still want to stand for some of those fundamental American rights 
of individual opportunity, of individual freedom, of free speech. 

So I think, for those reasons, that emphasis in the E.O., and then 
the most recent report is important. But then I would also encour- 
age you all to look at some of the recommendations, and to ensure 
that the Executive follows up on their own assessments. 

Ms. Clarke. Thank you, Mr. Chairman. I yield back. 

Mr. Meehan. Well, I want to express my deep appreciation to 
each of you, not just for your preparation for your testimony today, 
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and the work, and — you have put into those thoughtful comments, 
but for your on-going work in this area in each of your respective 
venues. It is a debate — not a debate, it is a dialogue that we are 
going to have to be continuing well into the future. I want to ex- 
press my appreciation to our colleagues, and particularly my — the 
Ranking Member for taking the time to travel here from New York. 

I want to close by thanking our hosts here at Drexel, and for the 
tremendous work that they are doing in being on the vanguard in 
both — not just education, but research and development in this im- 
portant area of cybersecurity. I am grateful for their efforts. 

So, on behalf of the committee, the subcommittee stands ad- 
journed. 

[Whereupon, at 12:49 p.m., the subcommittee was adjourned.] 
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